Release notes from Factory release 1.18.008 to Factory release 1.18.009

Slight change for delayed packets (error packets/responses) affected normal traffic

Release notes from Factory release 1.18.007 to Factory release 1.18.008

Speed lanes were not re-allocated when time profiles changed unless "re-route" also ticked on profile. Fixed

Release notes from Factory release 1.18.005 to Factory release 1.18.007

Slight change in TCP stack for RST responses

Release notes from Factory release 1.18.003 to Factory release 1.18.005

Corrected winter time / summer time change to be 01:00 UTC not 01:00 BST

Release notes from Factory release 1.18.002 to Factory release 1.18.003

Subtle internal error in tunnel handling fixed - could drop some tunnel packets incorrectly.

Release notes from Factory release 1.18.001 to Factory release 1.18.002

Changed URL for manuals and software on FireBrick website.

Release notes from Factory release 1.18.000 to Factory release 1.18.001

Internal changes for factory build - no other changes

Release notes from Factory release 1.16.047 to Factory release 1.18.000

Added bootp server name (sname) and filename (file) options to subnets.
Changed behaviour of DHCP Restrict option - now means that if a name matches any resticted subnet then it can only have IPs from that subnet. Still means names that do not match cannot have IPs from restricted subnets, as before.
Fixed log of refused DHCP request to show IP requested not one being offer instead
Fixed DHCP removal existing IP if out of range IP requested (e.g. laptop moving between sites)
DHCP server now only fields requested in options in request. If no options requested then everything possible is sent.
DHCP server bootp options now server IP and file, not server name.
DHCP server sends lease time even if not in list of requested options as linux does not ask for it then assumes 0, duh!!
DHCP restrict only applies if restricted subnet is in enabled profile
Further tidy of DHCP server to avoid messy duplicate MACs in allocation in some obscure circumstances where previous entry is now invalid.
Added some extra debug logging to DHCP server for when IP allocations change.
Made DHCP server debug messages a bit more consistent.
DHCP status page now allows manual naming of clients which do not send a name - type name and press return.
Added low level interrupt load control for rare cases of stupidly high volume LAN/LAN traffic
Added Fast TOS to speed lanes - making packets with TOS 0x10 (low latency) are not delayed by that speed lane.
Changed tunnel code to preserve TOS of contained packet allowing Fast TOS to be used on tunnelled VoIP traffic.
Changed login slightly to avoid showing username/password in location bar on some broswers.
Fixed bug where LAN and WAN are both DHCP client, but no server on WAN, took ages for LAN to get address.
DHCP server will send SMTP server address if requested by client
TCP SYN+FIN or SYN+RST will now be put through default filter/logging
Slight change to "Fast/TOS" mode. TOS with it 4 or 7 are treated as "priority"
Summer/winter time control only applies if time is actualy set - was creating otherwise spurious log entries.
Changed default TTL from 64 to 100 as some people run tunnels over very strange internet links.
Changed source port for time setting to 1024 not 2 as low source ports caused problems on some firewalls, leased lines and even current linux releases.
Changed default time servers (for factory default)
Incorrect tunnel name for source tunnel traffic on session table, fixed
COrrect time zone on "last login" on users list, was UTC
New bonded uplink feature designed for ADSL line use. See manual for details.
No longer treating the "network" address as a broadcast on the LAN. Ideal as pseudo gateway for bonded uplink feature.
Slight change for ATE operation.
Interface swap option to setup screen so LAN on left and WAN on 4 port hub
Factory reset changed, using port 2 sets DHCP client/server and LAN/WAN reverse, port 3 sets non DHCP and LAN/WAN reverse.
Changed web log output to cater for <, >, and & in the log, e.g. from login attempts (shows as -)
Changes to live sessions talking to/from the FireBrick are dropped if the IP in use changes (for tunnels and DHCP)
Changes of IP on subnets now cause the FireBrick to send a self ARP query to help detect duplicate IPs
Changed email from FireBrick to include text of first email log line at end of subject (also included in body as before) - ideal for SMS'd subjects
Some tunnel and dhcp logging made "events" not "debug", and "debug" entries removed.
Basic SNMP (read only) operation, compatible with mrtg, allowing monitoring of WAN, LAN and speed lanes. Please advise any incompatibility issues.
Profiles can now be set to be dependant on another profile (or not a profile) being active. Ideal for multiple fallback routing.
Profiles can now be dependant on another profile (AND/OR)
Adjusted default master speed lane to 1250KB/s limit
Complete rewrite of SNMP. Now includes responses with correct types for all of the "interfaces" group. snmpwalk is happy. cfgmaker is happy. Please test and advise any problems.
Minor changes to improve speed of software upload on LAN
SNMP now reports interface speed for a speed lane as the highest of the rate *or* cap on a speed lane, as rate alone could be too low and so ignored by mrtg.
Changes to internal operation of user interface - please advise if any problems
Profiles were not being set in some options (e.g. subnet) in SoHo, fixed
Full protocol selection (e.g. GRE, IPSec) now available in SoHo
Bonded uplink now available on SoHo (but not ping scanning or fallback)
Load balanced routing now available in SoHo, but cannot put after subnets like the Plus
Bounce mode for filters now available on SoHo
Filter timeout control now available on SoHo
SYN, bypass and end-log filter options now available on SoHo
Changed UI to non frames, and stylesheets - now works from a P800 - please let me have comments
Added some colour selection to the UI settings allowing the main background to be selected (per user)
Changed so that re-route on profiles clears and FB initiated UDP sessions such as tunnels.
Changed portmap so that if there is a port, but no protocol specific, then the packet has to be TCP or UDP. Previously another protocol other than UDP or TCP would ignore the port and hence match the portmap.
Added second pseudo address to allow bonded uplink as well as load balanced NATing downlink. If using bonded uplink already, set the pseudo address the same as your gateway.
Reversed In/Out for speed lanes on SNMP to be a bit more logical overall.
Minor corrections to user interface - do not use Agatha
Fixed "Clear alert" on Setup.
Changed to link from login as this affected customers using other ports than port 80
Added tunnel source IP address option (useful when using multiple backup routes)
Default IMAP filter changed for IMAP4 (port 143)
It appears that moving filters, or routes, etc, left the firebrick in a state where a reboot would lose the config.
As 1.17.283 (Estelle)

Release notes from Factory release 1.16.039 to Factory release 1.16.047

Minor change to DHCP client for cable modems.

Release notes from Factory release 1.16.000 to Factory release 1.16.039

Minor change so that tunnels within tunnels operate correctly.
Additional tunnel features - tunnel keep alives
Time profiles made more sensitive - now work on a 10 second cycle not 23 seconds
Diagnostics / Counters section now advises WAN and LAN inteface MAC address
Status - sessions screen shows which tunnel traffic is coming from / going to
On main status page, green right hand LED over WAN port was showing LAN port 4's link status not the WAN link status! Fixed

Release notes from Factory release 1.14.011 to Factory release 1.16.000

Security fix to ensure logs only accessable from authorised users
Changed logic for ends to range being detected as masks - allows range to end 255.255.255.255
Various optimisation and minor improvements to internal operation
Significant improvement to speed of tunnel traffic when shared secret is used.
More subnets and speed lanes
Updates for new "reroute" option on profiles used with "same IP" fallback routes
Fixed a side effect of re-routing traffic where it would end up in the wrong speed lane and not tracking re-routed sessions correctly
Changed protocol 41 to name Encap/SIP
Added DHCP DNS addresses to subnet
DHCP allocation was not always re-allocating the oldest unused IP when there was no more space, fixed
Slight change to DHCP protocol messages - tidy up - should have no functional impact.
Adjusted DHCP client renewal slightly - no request IP now in renewal messages where IP is in packet header instead.
Tidied up DHCP debug log messages.
Removed "Broadcast renewal" option from DHCP settings as it was not helpful.
To clarify - DHCP client is now working the same as windows 2000 machines.
Further DHCP change to ensure correct subnet when re-allocating oldest used address
Changed so can edit time profiles times when clock not set
Users shows logged in users
New page in UI, dump?DHCP=1, which produces CSV format DHCP allocation report
End log has extra entry which shows internal flags for session - to be documented.
As 1.15.049 Dolores beta release.

Release notes from Factory release 1.14.000 to Factory release 1.14.011

Various optimisations and minor changes

Release notes from Factory release 1.12.000 to Factory release 1.14.000

Increased number of web sessions handled for admin pages.
Change to the way tunneling works not compatible with older versions.
Route source list did no show "Any" when all interfaces selected, fixed.
Changed tunnel segment reassembly timeout to 2 seconds.
Changed wording for "Force" to "don't segment" on tunnels.
Changed tunnel default outgoing MTU to 576.
Ensured DF bit set on outgoong tunnel packets.
Added source MAC to filter logging.
Added more infor to fragment tunnel error message.
Removed tunnel reassembly timeout log message as this is normal for TCP communications (speeds up until dropping packets).
Fixed input for MTU on tunnel so does not include comma if comma formatted, duh.
Profiles not saving on routes in SoHo, fixed.
Very subtle change such that TCP packets are allowed with FIN and/or RST when filter mode "bypass" is selected. Note filter mode "syn" still requires SYN and not ACK even if filter mode "bypass" also selected. Very specific application so don't worry if this makes no sense to you.
Switched profiles were not showing on quick set up screen if also controlling alert LED, fixed
Obscure error would rest firebrick if handling response for a "Bounce" when session table full
Increase number of port maps to 40 on the Plus.
Internal factory support changes.
DHCP reallocation of oldest unused IP when no space was faulty. Fixed.
Further chnage to handling of DHCP when no allocations left. Previous beta could incorrectly re-use restricted allocation if it was the oldest.
New factory issue, see beta releases 1.13.xxx for details of all changes since last factory release.
Factory reset using hub ports 1, 2 and 3 sometimes did not reset. Port 4 (right) always worked. Fixed
Updated internal operation for additional ATE testing.
All Stealth disable option was not stopping local/subnet broadcasts as well. Fixed

Release notes from Factory release 1.10.000 to Factory release 1.12.000

Changed time profiles so that there is always an option for the profile being off, and hence have removed the "OFF" time profile which is now "Not 24/7" and also removed "ping failure" option as it is "Not" the pinged option (expect for existing configurations still using this)
Made switched profile appear in quick setup screen.
Route list now shows the default gateway as the last routing entry, to make routing order easier to understand
Route list (on plus) now includes an entry marking where the subnets are processed, default at the end before the gateway - but this can now be moved.
Note, downgrading to older configs could cause loss of some config data (reverting to factory defaults). Thsi is fixed, so downdraginge for later versions to this one should not have the same problem.
Changed wording on profile screen to differenciate time controlled and switched profiles
New speed lane feature to allow TCP ACK packets to queue jump speed controls, intended for ADSL uplink speed controls to avoid slowing downlink traffic by delayed ACKs
CHANGE IN OPERATION OF SPEED LANES: The first speed lane is now a master speed lane which is applied after any other speed lane is applied. Most installations will not be affected by this change in operation, but please check your speed lanes carefully after upgrading
Filter profile selection corrected
"Fast" option added to speed lanes allowing them to queue jump the master speed lane (e.g. for VoIP, telnet, etc)
Not showing last month, etc, on counters if clock not set as meaningless
Summer time now set automatically without the firebrick having to be on when the clocks change. To set manually, adjust times for change or set to "Never".
Added debug to show if tunnel packets fragmented
Changed summer time adjust to happen at 1am local winter time. Was happening at 1am UTC, which is fine if you are in the UK
Updated handling of fragments in speed lane to better handle nfs in speed controlled environment
"Knight Rider" effect was not syncing up for multiple firebrick demo, fixed
Profiles can now be set to activate ALERT LED (permanently on) when active or inactive - ideal for ISDN fallback warning
Made default settings not have any "Flash" settings to activate flashing LED as its annoying and not that useful
A recent beta release had broken the profile selection in filters - was always coking up 24/7 although changes took effect.
On SoHo filter profile selection was not being shown even though profiles are now available on SoHo. Fixed.
Internal change for factory Labeling station.
Minor bug in Boris - truncating the firebick name in interface selection
Removed "serial" interface setting as not used.
Fixed bug in Boris truncating serial numbers, sorry.
New Factory release of Douglas.

Release notes from Factory release 1.08.000 to Factory release 1.10.000

General tidy up after changing interrupt handlers
Important security note - the config load and save will now transfer the whole of the configuration regardless of permissions of the user loading and saving. This means that "upload" rights are more significant and should be carefully considered. The config save option is now only available to users with view rights for the upload security level.
Special functions reboot, manufacture, and factory init now added to emergency UI (i.e. when no UI file has been loaded).
IP Protocol 55 was showing as garbage name rather than just 55, fixed
Updated user guide with changes to upload/download security
Three pre-defined time profiles added, 9-5 M-F, 2am Sun, and OFF
Time profile selection added to SoHo model, allowing use of predefined time profiles only
SoHo loading config would lose the tunnel setting, fixed
Slight change of behavior when bombarded with bogus web requests (like some worms do) so TCP sessions cleared more quickly.
Slight change to some debug messages.
Further minor change to TCP timeouts
Minor internal changes for factory setup
Minor change to TCP stack to ensure stupidly low MSS options cannot cause problems (min accepted is 64)
Changed TCP bounce to also set MSS=0 option to "upset" far end stack on some systems (already sends window=0)
New factory release incorporating all 1.9 beta changes. Filter timeouts failed if they were over 999 and formatting with , selected. Fixed
Removed ping scan log option from SoHo as not used.

Release notes from Factory release 1.00.115 to Factory release 1.08.000

Minor change to ethernet drivers
Changed DHCP debug messages to quote netmasks in bitcount format as used on subnet screen
Yet another change on ethernet drivers, very slightly worse performance - anyone who has had problems with FireBricks resetting please try this version and let us know (support@firebrick.co.uk) how it goes, thanks.
Once again we have changed interrupt handling - we have changed the interrupt handling several times to try and resolve an issue. A couple of customers have seen the FireBrick reset unexpectedly, and in some rare cases lose user interface or config. This has been extremely rare, but we finally reproduced it and we believe we have now solved it. The solution that appears to work is a change to interrupt handling which suggests that there may have been a hardware bug in one of the devices when used in a certain mode. Our previous changes have made these resets less likely, but this latest change appears to have stopped the problem completely.
Anyone with a resetting problem, please try this code. If your FireBrick resets at all unexpectedly or behaves strangely with this version, please email support@firebrick.co.uk and let us know. Thank you for your patience.
New factory release correcting interrupt handling issue. See beta releases for more details.

Release notes from Factory release 1.06.053 to Factory release 1.06.056

DHCP requests now correctly include OPTIONS parameter in REQEUEST after DISCOVER - ensuring correct gateway setting on cable modems.
If the DHCP reply does not include a gateway then one is no longer assumed (was assumed as server address)

Release notes from Factory release 1.06.044 to Factory release 1.06.053

Further minor changes to ethernet rx and tx interrupt handling
Fixed portmap display for mapped to IP range when no target IP specified
If we had not ARP data for a packet, it was deferred until we did, and bypassed stats. Fixed.
DHCP renewals were sent to broadcast MAC even when sent to server IP, corrected to use ARP.

Release notes from Factory release 1.06.041 to Factory release 1.06.044

Changed DHCP client to send host name with null termination like windows machines.
Further internal change to ethernet tx handling
Slight layout change on routing screen

Release notes from Factory release 1.06.038 to Factory release 1.06.041

Added TTL to ping scanning
Added percentage based diverse routing

Release notes from Factory release 1.06.033 to Factory release 1.06.038

Additional internal debugging added.
Internal change to tx packet control on ethernet controllers.
Changed erase erase for subnets to leave on LAN not WAN
Was answering ARPs for far interface IP address - removed. If required, use proxy ARP route entries.

Release notes from Factory release 1.06.031 to Factory release 1.06.033

Fixed column heading on lane control web page
Internal change in interrupt handlers.
PLEASE NOTE: Check speed lane controls if upgrading from Tara.

Release notes from Factory release 1.06.029 to Factory release 1.06.031

DHCP name based allocation now operates case insensitive - as some Windows versions send different case at different times!
Speed lane give and take can now be capped at an upper limit

Release notes from Factory release 1.06.028 to Factory release 1.06.029

Stats log entries now number filters and lanes from 1 not 0 as per web page
Syslog can now be sent to a non standard port
Syslog relay function still listens on port 514, but sends to configured port

Release notes from Factory release 1.06.022 to Factory release 1.06.028

Erasing a speed lane now clears old stats on that lane
Changed layout of filter screen so stats shown on left
Changed ordering of stats for filter and lane to show now then day(this/last) then month(this/last)
Added a 5 minute average to all statistics (5 minute average is industry standard metric)
Added log/reporting of 5 minute averages - e.g. a syslog every 5 minutes, for external stats collation

Release notes from Factory release 1.06.009 to Factory release 1.06.022

Erasing a tunnel clears the last from IP for dynamic tunnels
Changed ARP session tracking to handle rapid ARP requests that dont wait long enough for replies
ARP debug logging logs ARP announcements
Bandwidth sharing between lanes now added - lanes can give and take spare bandwidth

Release notes from Factory release 1.06.005 to Factory release 1.06.009

Internal change (timer interrupts) - should be no noticable effect
Changed "Bogus ARP reply" message slightly
Change to layout of alert message on status screen

Release notes from Factory release 1.06.003 to Factory release 1.06.005

Changed graphics slightly
Audible alert on login failure - useful in open plan offices to spot someone trying to log in to the FireBrick

Release notes from Factory release 1.06.002 to Factory release 1.06.003

DHCP client will now only request the items it is actually going to use
TS12: Filter name was being shown on quick setup (under Other) and was not correct due to multiple-selection options now in place. Removed
TS13: Edit of a subnet on otehr than first page of subnets was returning to page 1 after edit, fixed
Users with view rights only to diagnositics could remove DHCP allocations, fixed
Full session lists now only show sessions where the user would have view rights to the applicable filter

Release notes from Factory release 1.06.000 to Factory release 1.06.002

Changed Mb to MB in setup for large session as is mega bytes not mega bits
Corrected default incoming tunnel filter to be Any->FireBrick
Any POST (upload) attempt to the FireBrick used to cause the log to be cleared, even if unauthorised. Fixed
New factory reset using different LAN ports allows set up with DHCP server or DHCP client enabled (see tech ref manual)
Changed wording on security set up

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.

Release notes from Factory release 1.06.056 to Factory release 1.00.115

New beta test series 1.7 started.
Made it so that read only access cannot test the email logging facility
Slight change to layout on setup for SoHo
Major rewrite of ethernet drivers for faster operation
Further minor change to ethernet drivers.
Changed so deleteing a user leaves LAN access listed as default.
Internal change to web server to make some operations more efficient.
Updated technical reference manual with a "tips" page which contains useful functions such as "erasing all filters"
If you have selected dot separated number grouping then the KB/s use a decimal comma. Filters that drop now also update the usage counts. Tunnels modified to work better from behind NATing routers (e.g. ISDN router) - tested on ZyXEL
Automatic email of selected log entries to specified email address.
Some traffic not being applied correctly to speed lanes in 1.4.064 - fixed
Still occasional reports of config problems - being investigated.
Ping scanning now possible via non ethernet interfaces such as tunnels, allowing the source address to be specified.
Further internal changes, as we have seen one crash on 1.4.064. We believe this is now resolved.
Alert generated on session limit being reached. New DHCP Mirror and DHCP restrict functions - designed to help cable modem users. Portmap will now match for blank target IP as packets to the firebrick itself. SoHo now includes a single tunnel as this is a common use with home workers. Can now kill DHCP allocations - useful if moving machines about and wanting to change IPs. You can now port map to the FireBrick itself - useful to allow it to appear on a different port than port 80, etc. Updated email sending to log (debug) if mail works or fails and log any error message.
DHCP allocation delete corrected, was deleting first entry always.
DHCP allocation of domain to Windows now null terminated as windows seems to get upset otherwise (why?).
In summer time (any time that is not UTC) the DHCP if clock not set was saying a 1970 expiry, fixed.
Internal change - TCP stack (e.g. web pages) uses routing for return packets rather than source MAC.
Javascript on listing sessions now fixed.
Email test button The address of my.firebrick.co.uk has changed to 217.169.0.1, and so the factory defaults have changed from this issue. Please change the Stealth address in setup from 62.190.255.253 to 217.169.0.1.
If you set a log option to only email, and not to log as well, then it was not emailed - fixed
If you set debug messages to email, then it generated an email to say it had emailed you which gets rather repetative. Now, the emailed log entry is not emailed even if you have selected this for debug entries.
Internal change - TCP operation reverted to allow correct stealth operation
A number of minor changes are being made in 1.5 releases at the same time as the technical reference manual is being developed
Slight change to the rules for passing through of ARP replies
Slight change to handling of packets to 255.255.255.255 allowing more through the FireBrick
Slight change to ARP generation allowing stealth IP and FireBricks own MAC to be used as source
Slight change to colours on ARP diagnositc display
Changed core routing slightly to handle stealth and non stealth more efficiently
Changed session tracking of DHCP requests and replies to correctly track the changing IPs involved
Updated ICMP error handling to cater for replies to local network broadcast
Added some extra debug on "unexpected DHCP request" error.
This is a beta release, so use with care and please let us know of any problems.
No information available Port map moving now possible.
IP protocol input format selection on FireBrick Plus.
Corrected instructions on port map edit screen.
Profiles were tending to set Monday all on (24 hours) in some cases.
Domain names specified in route table edit screen are looked up.
DHCP for syslog server gives correct value rather than firebrick (which does not relay syslog).
Change to internal operation - 1.4.0 suffered from loss of config during heavy load - fixed.
Clock was not being set for first hour if WAN address was DHCP allocated - fixed.
Ping scanning could think it has lost contact briefly on power up if ping from DHCP client interface - fixed.
Filters now allow control over session timeouts on FireBrick Plus.
Adjusted TTL handling so that loops (e.g. setting the DNS server to the firebricks own address) should not hang. Make decimal point or decimal comma a config option. Filter totals corrected - were only counting start of session. Overall stats per interface now recorded Various internal fine tuning = a very very slim possibility existed that a DHCP operation could reset the FireBrick. Changed interrupt sequencing on ethernet controller. Changed internal buffer allocations and handling. New SYN and Bypass filter controls Minor changes. Revised graphics Default DHCP filter made more specific (source and target ports). UDP session track allows for DHCP replies - should also allow stealth DHCP client subnet to work. DHCP client now asks for domain correctly Subnets have (time) profiles - may seem daft but see the manuals - allows dual rendundant configurations. Table borders set to make UI look better in IE. Proxy ARP now correctly subject to route profile. Default time server changed to time.nist.gov. DHCP sending/reveiving of domains fixed. Slight change to ARP handling 1.4.0 pre release (again). As per 1.3.211, including all of the 1.3 beta code - see below for details.
Important note - WAN access is no longer default allowed and so an additional filter will be needed (WAN->FireBrick) before upgrading remote units. On config load, etc, a blank email may be sent - fixed
Added more choice on the log options - check these are sensible as they will be default values
Changed so secondary filter after port map does not apply
Changed factory reset default filters, now allows incoming tunnel traffic (UDP 1) to FireBrick
Changed filters so TCP will not match if RST or FIN in packet
Changed filters to silently drop unexpected TCP traffic with RST or FIN set
Changed quick set up, unchecking boxes now suspends filter rather than setting to drop. Checking unsuspends and enables.
Changed factory reset default filters so unwanted filters set to suspend not drop
Changed factory reset default filters and ERASE oiption so unused routes/etc are set to None rather than Any to avoid confusion
Changed so that second time server can be specified, used if first does not answer
Changed route/portmap/filter/shape so multiple interface selections possible
NOTE: Down grading from this version will mess up filters, routes, shapes, portmaps. So save a config before upgrading so you can down grade, factory reset and reload the old config.
Upgrade and loading old configs now changes unused entries to their new defaults - e.g. None->None for filters instead of Any->Any
Note added to clarify port mapping, and other minor user interface changes
Changed DNS lookup handling - was not working correctly
DNS relaying fixed (previous beta borke it)
Emailing spurious logs in some cases - fixed
Syslog relay fixed, and DHCP server changed to give self as syslog server
Traffic allowed to the firebrick which is not attached to a known port will now generate appropriate ICMP/TCP response
Fixed DHCP server (broken in ealier beta)
ICMP errors corrected - was not showing in traceroutes when it should (beta problem)
Answering to stealth address even when acting as router or local network (beta problem)
Answering its own IP ! (beta problem)
Will now answer ARP if ARP would pass through, but matches our address on far side
Tech ref manual updatde as well
Traceroutes from NT were not showing second and third replies, fixed
ARP passed through where source and target in stealth subnet, not just target
ARP pass through no session tracked to match replies
Bogus ARP replies are logged as "debug"
Various minor presentation/wording changes in UI
Minor internal changes
Minor change to status screen
Only the first 20 traffic shaping rules were being considered, fixed
Port mapping of protocols other than TCP/UDP/ICMP was not even trying. Now changes IPs but cannot guess on any changes needed in packet content so will not work with all protocols.
Added per filter option to "end log". Using the large session logging options regardless of length of session using that filter.
Added global stealth control options (log/filter options)
Adjusted proxy ARP logic allowing source addresses to be checked
Fixed reload on session display
OK, reload on sessions really fixed this time
IP input was not working in Emilia - tried to look up IP in DNS as a name. Fixed.
Port mapping now has interface from and to, as well as a map to - allowing specific traffic to be trapped (e.g. "outgoing web pages", etc.
Emailing of logged events aborts pre/post sending delays if log cleared (e.g. config load/save, etc)
Note: Check your port maps after loading as they may have target interface None
Minor change to upload, ensures any new config fields are initialised in all circumstances (mostly did this before). This also has the effect that you are always logged out on an upgrade.
Added source MAC to "bogus ARP" debug log entry
Fragmentation (for tunnels) is done on DF set packets if already fragments (for NFS)
Users that could view sessions could kill them - fixed
Changed to allow traceroute via a tunnel
Time profile on email settings crashed Firebrick if data to send when out of time profile, fixed
This is a release candidate for V1.6
Fix for GRE NAT/IP mapping
Change to session tracking for incoming port mapped UDP and (non TCP/UDP/ICMP) traffic to avoid duplicate sessions
Hopefully this will be the 1.6.0 release
Added boot time to diag status screen (if clock set)
Rearranged diag screen counters and added time reference (may be inaccurate until factory reset)
Port map display fixed when no target for range of source addresses
Fixed ICMP checksum on de-NATed ICMP error packets
Fixed ICMP errors from FireBrick when going via NAT (e.g. traceroute)
Added reload on session list
Improved tunnel error messages
From now on, all issues have a name as well as a version number
Internal change to interrupt timing
Added diag interface stats
Transition to latest version meant that a ping scan via Any would change to via the FireBrick
Ping scan now has Any as an option rather than the FireBrick
Slight change to allow traffic from firebrick to go down tunnels, e.g. emailed logs, syslog, etc
Slight change to port map - did not work if only changing source address and not target port or IP. Fixed
Slight change to port map - setting a new source IP of 255.255.255.255 causes an appropriate firebrick IP to be set
Change to ping scan so that gateway is not used when sending to non ethernet. Previously it set the source IP, but the far end tunnel will do this now.
Changed password handling to use internal encryption.
SAVE YOUR CONFIG FIRST as reverting back to older software WILL screw up all of your passwords
Duplicate IP warning now says if WAN or LAN
DHCP restrict was not completely working correctly - fixed
Made port mapping even more general - allowing it to be used to simply force routing rules on stealth traffic if required
Internal change in session tracking to better handled re-routed stealth sessions using port mapping
DHCP names extended from 11 to 20 characters
Some network printer widgets dont send a name on the initial DHCP discover, but do on the request. As such restricted DHCP allocation does not work. Changed so a discover of a previously allocated DHCP addresses with no name assumes same name, hence allowing the subnet to be made unrestricted, the address allocated, and then closed again.
Internal change to way stealth return packets to routed forward packets via re-route of interface are handled
Changed so packets for the firebricks IP on LAN/WAN are not re-directed by routing tables
Changed so routing has FireBrick and Any targets. Setting Any allows further routing to be done, but can be used to set NAT and proxy ARP
Removed RFC strict on DHCP as not required
Made DNS only one filter by default (allowing UDP and TCP on port 53) as lookups can use TCP for long answers
Changed way syslog and DNS relaying is handled - using an implied final port map and allows TCP DNS relay also.
Fixed port mapping of source addresses which was not setting new source port (beta problem)
Technical reference manual (which is partly complete) includes details of these changes.
Session view shows R/S for route/stealth
DNS relay on UDP now doing NAT to avoid replies from wrong address (was upsetting some linux resolvers)
Tunnel errors show IP
Dynamic tunnels fixed
Tunnels changed so that handling of large packets results in normal IP fragmentation
Route table shows "notes" for NAT/proxy ARP, etc
Added option to broadcast DHCP renewals (Colombian cable modems)
Clearing Alert was available to users with view rights from setup - fixed
Made FireBrick name stand out more on web pages
Made time checking only disregard profile if the profile is a time based one and the clock is not set
Clarified action of ping scan when clock not set (pings all the time)
DHCP client requests syslog and time server IPs
Time setting interval made slightly random
A new config created in 1.5 from factory reset would work until an upgrade, at which point passwords and filters mat be corrupted. The factory reset in 1.5 is now fixed, but configs created in 1.5 before this change will still corrupt.
Note: loading an old config which only contains some settings because of security restrictions, or can only load some items because of security restrictions may result in corruption of interfaces and passwords that are not loaded.
Implicit syslog portmap does not change source as syslogs dont get replies.
Fragment offset in filter log corrected, was a factor of 8 too small.
Improved handling of braodcast packets mis-routed to same ethernet interface
Previous Factory issue. Note that after an upgrade to this you may have to factory reset your unit as per instructions in the manual. Updates to tunnelling. Improved logging on DHCP server/client Minor changes New 'Bounce' feature in filtering causes annoyance for port scanners (even hangs nmap!). Delayed response on firewall to reduce effect of denial of service attacks. New simpler NAT setup (NAT option on subnet). Minor change regarding bouncing of pings, and also changed replies from firewall bounce/reject to contain random time delay element. DHCP change (Non RFC1541 use of Request IP in HCP request required !!), and handling multiple DHCP servers better Changed logging to use colour in separate window. Updated DHCP server to list names of machines allocated IP addresses, and added RFC1541 strict compliance check box in DHCP client. Increased web log in timeout to 10 minutes. Added report of DHCP server address on diag page. Improved logging and filtering for IPSec traffic Various UI enhancement including ability to move filters, routes and traffic shaping rules anywhere in the list. New filter suspend mode added. Can set the size of pages in paged lists, and also the logout timeout. Same software releases now operate on FireBrick and FireBrick Plus auto-detecting the hardware platform. Syslog now allows you to select the facility (local0 to local7) DHCP client works correctly with NTL cable modems. Improved traffic shaping where lots of different traffic rates are used, and additional Diag information (session counts). Separate language specific web pages, port mapping, ICMP error tracking, bug fix to DHCP, new graphics, web based incident log, asymmetric speed controls, and various minor improvements.

Note that upgrades from older versions have been known to require a factory reset as per the manual. Upgrade from this to later versions should now be seemless with configurations preserved.

Now contains statistics for speed lane and filter use, and improved summer time handling on clock. Time profile on filters corrected. Minor changes and corrections. Minor changes, different icons layout for better working on narrow screens, and changed so default filters are OFF. Bugfix in tunnelling, and additional DHCP activity logging. More tunnelling improvements Allows for un-signed tunnels (leave secret blank). Upgrade to make live logging better Improved tunnels (works with MTU path discover allowing windows file shares over tunnels to work without manually adjusting MTU). Also added some general logging controls allowing filter failures to be logged, etc. Added extra diagnostics option. New, simpler factory reset procedure - see manuals for details. New default filters making lock-out less likely. Routes were not taking in to account time profiles... Fixed. Changes to internal operation of session tracking and port mapping. Port mapping has new "relay" feature allowing full relaying (changing source and destination addresses) as well as simple incoming port mapping via into NAT. Traceroute working correctly. Minor changes Default filter rules no longer allow connection to Firebrick from WAN port - i.e. this must be specifically allowed in the filters if required. Time profiles have a 24hour button on each day as well now. Bounce TCP not creating sessions now... Added domain name (setup/name) so can be served by DHCP server for windows clients, etc. Changed DHCP client mode to set gateway, dns server, time server, domain, syslog server unless excluded as part of subnet setup. Changed DHCP server mode to allow specific items not to be served (gateway, dns server, time server, domain, syslog server) Logs/diagnostics understand more IP protocol types by name. Slightly faster packet switching code. Larger and faster MAC cache. Time Profiles now called Profiles as they do more than just handle time switching. Long session report now states filter name that applied to session Improved stats - current per second, and monthly(plus only) DNS relay fixed (was sending to wrong interface) 1.4.0 pre release Corrected speed lanes (broken in previous beta release). Online manuals updated ready for 1.4.0 release. Typo on the End session log output. Can now set comma/space number grouping (e.g. 12,345) Date format options (ISO/US/UK/Full) Removed 10% additional bandwidth on speed lanes - set the speed you actually want. Fixed bug in UDP time server. Stats update not rolled over on startup without clock. Very long log displays were causing the FB to reset - fixed. Rate displace (KB/s) now to 1 decimal place specially for people on BT NetStart lines (-: Moving filters was not correctly changing the session filter ID for live sessions. Changed TCP timeout back to 2 hours Changed session display so that can list by protocol. Changed TCP session handling to allow sessions to resume after long delays from allowed side. Speed lane changes if time profile or edit of shaping rules, now apply to active sessions. Fixed session leak - previous beta would not run for more than a few hours without stopping. Longer TCP session timouts, and improved security setting control for set up screens (viwe access was allowing some setup functions to bve done). Greatly improved port mapping allowing mapping of source address for general purpose relay as well as selective source IP for port mapping. Time profiles also working on port maps. New ping testing feature on time profiles - allows constant monitoring of an IP address and changing control settings based on loss of contact. TCP timeout set to 2 hours. Crash that was affecting beta releases now fixed. Improved handling for time profile ping scanning. Ping scanning still needed more work - fixed gatway addresses. LAN->LAN default filter was faulty (never matched!), fixed. DNS/TIMED forwarding fixed. For convenience, if a DNS address is set up and working, then most places where you type and IP address (tunnels/filters/portmaps/shaping) you can now type a host name. Works for simple A record lookup (not following CNAMEs, etc). DHCP server operates without clock set - leases issued for 2 hours as normal, but expiry not tracked on FireBrick so effectively unlimited until clock is actually set. Able to see list of active sessions. Can selectively kill sessions DHCP addresses allocated when clock not set now set to normal 2 hour expiry when clock is set. Session log shows which filter allows the session. Further internal changes regarding displaing the log.