Endian Firewall Community

Endian Firewall Community is an open source Linux firewall operating system that has been designed with "usability in mind" and is very easy to install, use and manage, without losing its flexibility. It is derived from the highly acclaimed and award winning Red Hat Enterprise Linux distribution.

The main advantage of Endian Firewall is that it is a pure "Open Source" solution that is commercially supported by Endian. It comes with a powerful, modern, easy-to-use and easy-to-configure web interface that includes the Base, Advanced Antivirus, VPN Gateway, and Web Content Filter modules.

Features at a glance

Key features include a stateful packet inspection firewall, application-level proxies for various protocols (HTTP, POP3, SMTP) with antivirus support, virus and spam filtering for email traffic (POP and SMTP), content filtering of Web traffic and a "hassle free" VPN solution (based on OpenVPN).

In addition, the distribution provides strong security for both your local network and the Internet, will secure your email, multi-WAN with failover, routing, Network Address Translation (NAT), reporting and logging, trusted timestamping, as well as most modern UMTS/3G USB dongles.

Distributed as a dual-arch, installable ISO image

Endian Firewall Community is distributed as a hybrid, dual-arch and installable ISO image, supporting both 32-bit (i386) and 64-bit (x86_64) instruction set architectures. The ISO image has approximately 200 MB in size and can be easily deployed to either a CD disc or a USB thumb drive of 512MB or higher capacity, which can be used to boot the operating system from the BIOS of a computer.

The distribution must be installed on your computer in order to use it. For this, you must have basic knowledge of installing a Linux kernel-based operating system from the command-line. Be aware though, that your current OS will be erased and you will lost all you data, so make sure that you backup your files first.

What is new in this release:

• Improvement UTM-1722 Add option for load custom TLS ciphers
• Improvement CORE-2143 Add CLI notification when a reboot is required
• Improvement UTM-1903 Replace "Disabled for service" with "Enabled services" in user editor
• Improvement CORE-2131 Register emi commands with a decorator
• Improvement COMMUNITY-311 Trivial error on registration form
• Bug UTM-1920 Server OpenVPN problem after Update
• Bug UTM-1917 Triggers are not executed by openvpn-user fakedisconnect command
• Bug UTM-1915 QUEUEFW not cleaned after SNORT is disabled
• Bug UTM-1907 setproxyinout produce an error when a restart is perform and the proxy is not installed
• Bug UTM-1813 OpenVPN job does not start after reboot
• Bug UTM-270 Squid terminates with an error if an entire domain and its subdomains are used in the same access policy
• Bug CORE-2335 smart upgrade doesn't upgrade packages on some circumstances
• Bug CORE-2285 efw-update crash due to logger module exception
• Bug CORE-2267 Factory reset is not complete
• Bug CORE-2256 Fix missing dependencies on html5lib
• Bug CORE-2246 AttributeError: MultiLineSysLogHandler object has no attribute formatException
• Bug CORE-2199 JSON EMI command parameter parsing is broken
• Bug CORE-2171 Cannot change user group membership when language is Italian
• Bug CORE-2168 Wrong default tab for new users and when edit an existing one
• Bug CORE-2115 Event reporting graphs not working
• Bug CORE-2104 Autoupdate script not linked after netwizard
• Bug CORE-2064 Upgrade python-simplejson to prevent conversion of i18n strings to JSON failure
• Bug CORE-1416 Snort doesn't work when HTTP proxy is ON
• Task UTM-1880 Send Endian Bus notification on client VPN connection/disconnection
• Task CORE-2296 Textual netwizard should ask for root/admin password
• Task CORE-2234 NetworkAddress validator optionally calculate network addresses
• Task CORE-2218 Add SSLStrictSNIVHostCheck off to httpd configuration
• Task CORE-2205 Make console menu configurable
• Task CORE-2196 Encrypt PersistentDict with AES
• Task CORE-2186 Add new stylesheets and icons (Bootstrap)
• Task CORE-2156 Introduce Python requests library
• Task CORE-2151 Introduce python-oauthlib and requests-oauthlib Python libraries
• Task CORE-2144 Introduce Python bleach for UTM
• Task CORE-1962 Move generic files functions from endian.job.commons to endian.core.filetools
• Task CORE-1785 Add get_module_version to endian.core.version

What is new in version :

• Updated squid to 3.5.25
• bullet_green Updated dnsmasq to 2.76
• bullet_green Updated openvpn to 2.4.3
• bullet_green Security improvements to certificates management and openvpn
• bullet_green Extended support for hardware raid
• bullet_green Extended support for network interfaces
• bullet_green Security fixes
• bullet_green Added hourly graphs (thanks to dwstudeman from community)

What is new in version 3.2.2:

• 64bit CPU support
• bullet_green New 4.1 kernel
• bullet_green Python updated to version 2.7
• bullet_green Extended hardware support through updated drivers
• bullet_green Extended 3G modem support
• bullet_green Security fixes

What is new in version 3.2.1:

• 64bit CPU support
• bullet_green New 4.1 kernel
• bullet_green Python updated to version 2.7
• bullet_green Extended hardware support through updated drivers
• bullet_green Extended 3G modem support
• bullet_green Security fixes

What is new in version 3.0.0 / 3.2.0 Alpha 1:

• "Network types" have been added to the network wizard and uplink editor to be able to distinguish between firewall setups in different network topologies.
• Support for transparent implementations through a new bridge mode has been added.
• With the new TPROXY support in the HTTP proxy it is now possible to create firewall rules, routing policies and other rules based on the source IP address even if the proxy is being used.
• The complete rewrite of the event management engine results in better performance when analyzing log files and sending notifications.
• The anti-virus engine has been updated.
• Many security vulnerabilities have been fixed.
• Hardware support has been improved.

What is new in version 3.0.0 / 3.0.5 Beta 1:

• "Network types" have been added to the network wizard and uplink editor to be able to distinguish between firewall setups in different network topologies.
• Support for transparent implementations through a new bridge mode has been added.
• With the new TPROXY support in the HTTP proxy it is now possible to create firewall rules, routing policies and other rules based on the source IP address even if the proxy is being used.
• The complete rewrite of the event management engine results in better performance when analyzing log files and sending notifications.
• The anti-virus engine has been updated.
• Many security vulnerabilities have been fixed.
• Hardware support has been improved.

What is new in version 3.0.0 Build 201401151045:

• Web Security:
• HTTPS filtering
• E-mail Security:
• SMTP Proxy: Domain Management
• SMTP Delivery Status Notification configuration
• Virtual Private Networking:
• IPsec
• Encryption: Null, 3DES, CAST-128, AES 128/192/256-bit,
• Blowfish 128/192/256-bit, Twofish 128/192/256-bit,
• Serpent 128/192/256-bit, Camellia 128/192/256-bit
• Hash algorithms: MD5, SHA1, SHA2 256/384/512-bit, AESXCBC
• IKEv2
• OpenVPN
• Support for TUN mode
• Connections page for VPN users
• User Management & Authentication:
• User management for OpenVPN
• Integrated certificate authority
• External certificate authority support
• User password and certificate management (two-factor authentication)
• Logging and Reporting:
• Live network traffic monitoring (powered by ntopng)
• System status graphs are not lost at every reboot
• Images for SMTP mail statistics graphs
• Miscellaneous fixing and improvements:
• Serial port speed is now always set to 115200bps
• Fixed password changing from the console menu
• Sanitized logs

What is new in version 3.0.0 Beta 2:

• Web Security:
• HTTPS filtering
• E-mail Security:
• SMTP Proxy: Domain Management
• SMTP Delivery Status Notification configuration
• Virtual Private Networking:
• IPsec
• Encryption: Null, 3DES, CAST-128, AES 128/192/256-bit,
• Blowfish 128/192/256-bit, Twofish 128/192/256-bit,
• Serpent 128/192/256-bit, Camellia 128/192/256-bit
• Hash algorithms: MD5, SHA1, SHA2 256/384/512-bit, AESXCBC
• IKEv2
• OpenVPN
• Support for TUN mode
• Connections page for VPN users
• User Management & Authentication:
• User management for OpenVPN
• Integrated certificate authority
• External certificate authority support
• User password and certificate management (two-factor authentication)
• Logging and Reporting:
• Live network traffic monitoring (powered by ntopng)
• System status graphs are not lost at every reboot
• Images for SMTP mail statistics graphs
• Miscellaneous fixing and improvements:
• Serial port speed is now always set to 115200bps
• Fixed password changing from the console menu
• Sanitized logs

What is new in version 2.5.2:

• New Features:
• [UTM-250] - PhishTank as anti-phishing protection
• [CORE-82] - Show signatures update time in the dashboard
• [CORE-477] - Intel drivers for the newest Intel network interface cards
• [CORE-222] - Support for USB Huawei E173 USB UMTS modem
• Improvements:
• [UTM-68] - ClamAV engine update to version 0.97.8
• [CORE-184] - The collectd netlink plugin stores information that is never used
• [CORE-89] - EMI does not load sqlite anymore
• [CORE-259] - EMI storage is not read/write-safe
• [CORE-63] - In Port forwarding / DNAT the default mode should be simple instead of advanced
• [UTM-250] - PhishTank lists replace lists from malwaredomains
• [CORE-285] - Packaged signatures tarball with new PhishTank signatures instead of those from malwaredomains
• [CORE-105] - Monit method needs an additional attribute monitor=False which prevents monitor/unmonitor command from getting sent to monit
• [CORE-189] - Store collectd RRD files in /tmp and periodically synchronize to /var
• [CORE-164] - Delete archived log files when free space is needed
• [CORE-231] - Use collectd graphs instead of squid-graph
• [CORE-206] - Replace makegraphs.pl with collectd graphs
• [UTM-110] - Remove collectd's ntp RRD files
• [UTM-80] - New version of ntop
• [CORE-240] - Ethernet bonding support
• [UTM-40] - DansGuardian custom *regexp file is not handled correctly
• Bugs:
• [UTM-115] - ClamAV blocks .exe files due to issues in its DetectBrokenExecutables check
• [UTM-86] - HAVP does not run after an upgrade to 2.5
• [UTM-65] - "Block encrypted archives" flag was doing exactly the opposite of what had been configured
• [UTM-63] - Wrong status message in ClamAV page before the first signature update
• [CORE-132] - The Authentication layer does not start due to an UTF-8 problem
• [CORE-125] - Authentication job is not started after finishing the initial wizard
• [CORE-367] - Old backups cannot be downloaded after migrating to 2.5
• [CORE-288] - USB stick not detected correctly by efw-backupusb
• [CORE-278] - When cleaning the system USB backups are not considered
• [CORE-148] - Instead of keeping 3 USB backups when rotating only 2 are kept
• [CORE-113] - Error creating the cron link for scheduled automatic backups
• [CORE-220] - More backups than configured are stored
• [CORE-427] - Deadlock during the reading/writing of SettingFiles
• [CORE-264] - Logout button does not work for all browsers
• [CORE-236] - After an update efw-shell does not display correctly the new/updated commands"
• [CORE-122] - In policy routing rules only CS0 Type of Service can be selected
• [CORE-107] - Dnsmasq sometimes fails to restart which causes monit to use a huge amount of resources
• [CORE-88] - Backup uplinks do not work if they are Ethernet uplinks
• [CORE-497] - Collectd does not start on boot with new version of monit
• [CORE-211] - Dependency to efw-httpd is missing
• [COMMUNITY-15] - RPM triggers interrupt update process
• [CORE-451] - GUI port is hardcoded for redirection
• [CORE-268] - Reboot required not shown after kernel upgrade
• [CORE-482] - emicommand hangs because of curl blocking
• [CORE-137] - YAML storage raises an exception when trying to load a valid YAML file that contains a list instead of a dictionary
• [CORE-369] - Interzone firewall rules are not created after migration to 2.5
• [CORE-119] - When switching from advanced to simple mode editing destination NAT rules the filter policy is changed to ALLOW
• [CORE-118] - Target port of Destination NAT is not disabled when the incoming protocol is "Any"
• [CORE-115] - Incoming Service/Port field of Port forwarding/ Destination NAT is editable, even if Service and Protocol are both set to "Any"
• [CORE-106] - The bridges job status is wrong, "restart" instead of "start"
• [CORE-335] - jobcontrol hangs when sync restarting jobs
• [CORE-326] - Jobengine exception during update
• [CORE-257] - Jobs are unnecessarily restarted multiple times
• [CORE-248] - Jobsengine memory leak when OpenVPN client connects
• [CORE-131] - The efw-shell command "job" does not work due to a syntax error
• [CORE-124] - AnaCronJob uses Job.start which sets force=True even if not needed
• [CORE-123] - DownloadJob uses Job.start which sets force=True even if not needed
• [CORE-120] - Timestamping signatures are recreated although force is not set to true in CrawlerJob
• [CORE-321] - After migration from 2.4 to 2.5 RAID controller mptsas is not working anymore
• [CORE-303] - Intel Network driver igb not supported for Quad Intel 82580 Gigabit Network
• [CORE-190] - Enable FUSION_SAS driver
• [CORE-332] - twistd.log are not compressed and rotated in /
• [CORE-247] - Logrotate not run under various circumstances
• [CORE-87] - ntop UI is not accessible
• [CORE-251] - Logrotate configuration file is removed when logrotate package is upgraded after efw-syslog
• [CORE-203] - purge-log-archives script fails under special circumstances
• [UTM-414] - ntop segfault in libc-2.3.4.so/libntop-4.1.0.so
• [UTM-244] - ntop crashes if it is asked to monitor a interface that is down
• [CORE-343] - VLAN configuration problem
• [CORE-174] - Local routes are missing in ip rule so user defined rules always overrule local routes
• [CORE-86] - Policy Routing rules are not applied
• [CORE-80] - Upgrade of stripped RPM packages destroys configuration files
• [UTM-378] - Double efw-dnsmasq packages after upgrade
• [UTM-338] - When updating efw-dnsmasq the httpd configuration file is removed
• [UTM-322] - Anti-spyware signatures last update date is inconsistent
• [UTM-320] - DNS black- and whitelists are ignored until the cron job runs
• [UTM-317] - DNS anti-spyware blacklist is not working
• [UTM-316] - Black- and whitelisted domains are not erased after saving settings
• [UTM-88] - Unable to download malwaredomains information
• [UTM-181] - Proxy PAC is not applied
• [UTM-93] - Denial of service triggered by access to the proxy port
• [UTM-90] - DansGuardian blacklists and phraselists are missing after an upgrade to 2.5
• [UTM-87] - DansGuardian blacklists and phraselists cannot be downloaded
• [UTM-55] - Clamd is not started before HAVP
• [UTM-194] - HTTP proxy configuration ignores rules under certain circumstances
• [UTM-81] - IMAP authentication fails if username contains a @domain part.
• [CORE-219] - TOS/DSCP option breaks Quality of Service
• [UTM-119] - Snort is restarted twice during boot time
• [CORE-138] - System uptime is shown incorrectly
• [CORE-396] - Migration not called after upgrade to 2.5 due to collectd
• [CORE-159] - Certain migration scripts are not executed
• [CORE-129] - Migration framework causes tracebacks if an RPM package has an epoch set and a migration script for it exists
• [UTM-108] - OpenVPN client calls missing "remove_rules" method which is not controlled by jobengine and uses a deprecated function
• [UTM-95] - Selecting GREEN in IPsec GUI corrupts IPsec configuration file
• [UTM-230] - OpenVPN job fails to create user configuration files if the push orange or push blue options are enabled
• [UTM-97] - OpenVPN process cannot remove temporary files because of wrong file owner
• [CORE-221] - OpenVPN client TUN device configuration is broken
• [UTM-200] - Route to subnet behind OpenVPN gateway-to- gateway user is set with wrong gateway IP address if the user has a static IP assigned

What is new in version 2.5.1:

• Connectivity - Support for most modern UMTS/3G USB dongles
• By adding new drivers Endian Firewall 2.5 now supports most modern UMTS/3G dongles. Once plugged in the appear as serial devices and can be configured by choosing Analog/UMTS modem as uplink type. You will find the newly created serial devices in the Serial/USB Port dropdown.
• System - Performance improvements
• The whole system startup procedure has been rewritten. Endian's new jobsengine decreases the startup by 50 percent. Additionally major improvements have been made in memory usage. A fully configured system's memory footprint has been reduced by more than 200 megabytes.
• Contentfilter - Configurable update intervals
• The contentfilter blacklists are now updatable through the GUI like for any other service and updates do not rely on the release of new packages anymore. The interval can be chosen from hourly, daily, weekly and monthly.
• Dashboard - Customizable through configurable widgets
• The new dashboard is now fully customizable through the use of configurable widgets. The update interval for all widgets can be set individually now, widgets can be placed by drag and drop and it is possible to deactivate widgets completely..
• Logging - Trusted timestamping
• Endian Firewall now supports trusted timestamping using OpenTSA. This feature allows you to make sure your log files have not been modified after they have been archived.
• Routing - Additional gateway options
• The policy based routing and static routing modules have been extended. It is now possible to use static gateways for routes as well as to route traffic through OpenVPN connections.
• Bugfixes
• Huge efforts have been made to create a very stable release. On the road to Endian Firewall Community 2.5.1 many small improvements have been made and hundreds of bugs have been fixed.

What is new in version 2.4.0:

• This release introduces new features and lots of bugfixes that make EFW 2.4 a significant improvement in the development of the Endian product family.
• Switch to Enterprise:
• If you are using EFW 2.4 and you wish to switch to Endian UTM 2.4, you can now do so by simply pushing a button. The process is completely managed by EFW, ensuring you a safe and effective upgrade.
• Updates to 2.4:
• Updating your EFW 2.3 does not require to install a new system from scratch anymore. Instead, you can update single packages using our dedicated repository.
• New Kernel:
• With the new version of the kernel the number of supported hardware devices - most of all network interface cards - increases significantly. The new kernel also allowed us to fix some known issues.
• Improved IPsec:
• Thanks to the new kernel, IPsec is now more stable and efficient, avoiding malfunctioning that may happen in specific cases.
• New GUI for the Destination NAT/Port Forwarding module:
• A more intuitive and flexible GUI has been developed in order to offer easy configuration for most part of port forwarding options. If you want to define specific rules, the advanced mode lets you control the module in detail.
• Bugfixes:
• Endian Engineers worked hard on fixing bugs of EFW 2.3.

What is new in version 2.3 RC1:

• Backups:
• Backups can now be stored to and recovered from attached USB mass storage devices. It is also possible to schedule automatic backups and to send encrypted backups via email.
• Dashboard:
• The main page has been replaced by a dashboard with statistics about the system and its services as well as live-graphs for incoming and outgoing traffic.
• Email notifications:
• Emails can be sent automatically for predefined events.
• HTTP proxy time based access control:
• With the new interface it is possible to add time based access control lists for the HTTP proxy.
• HTTP proxy with user- and group-based content filtering:
• The HTTP proxy now has a new and polished web interface that adds the possibility to create group based content filters.
• Intrusion Prevention:
• Snort rules can now be configured. It is possible to drop packets as well as to log intrusion attempts.
• Policy routing:
• Routing rules can be created based on the interface, MAC address, protocol or port of a packet.
• Port forwarding rewrite:
• In version 2.3 it is possible to add port-forwards from any zone (only from the RED zone previously). Port forwarding without NAT is now also supported.
• Quality of Service:
• Traffic Shaping has been replaced by a fully configurable Quality of Service module. QoS devices, classes and rules can be defined.
• SNMP support:
• Basic SNMP support has been added.
• SMTP proxy web interface rewrite:
• The web interface of the SMTP proxy has been rewritten with focus on usability.
• VLAN support (IEEE 802.1Q trunking):
• It is now possible to create VLANs on every interface. The VLAN interfaces can be used to distinguish connections in the same zone.

What is new in version 2.2:

• While this new release includes mostly bugfixes and software updates, it also contains one major new feature.
• It is the first release of Endian Firewall Community that can be updated by running one simple command once new packages have been released.
• To be able to do this it is necessary to create an account at http://www.endian.org/register