**** Version 3.0 Beta 2 ****
**** CHANGES (since Drawbridge 3.0 Beta) ****

o Patched the vx ethernet driver (3com pci ethernet cards) so it would
  work with Drawbridge.

o Added the dropped packet counter to several ethernet drivers that had
  been overlooked.

o Made the changes necessary to build the Drawbridge package on FreeBSD
  2.2.6 as well as 2.2.5


**** Version 3.0 Beta ****
**** CHANGES (since Drawbridge 3.0 Alpha) ****

o Ported from FreeBSD version 2.0.1 to 2.2.5

o Put syslog support back in.  This had been left out of the initial
        port to FreeBSD.

o Fixed a bug in the listen interface code.

o Added support for incoming ICMP filtering based on the type of ICMP
        packet and the destination host.  This was mainly added to
        prevent ICMP echo requests to local broadcast addresses.

o Renamed the 'allow' table to the 'override' table

o Added the 'accept' table to prevent IP spoofing from the inside
        to the outside.  This helps protect the rest of the Internet
        from malicious users on the local network. 
  
o Redesigned the table logic (accept, reject, override) to add
        the ability to to have inverse rules.

o Made all counters 64 bit to prevent rollover.

o Added an option to filter certain ICMP attacks and an option to
        filter fragmented ICMP packets.

o Added a breakdown of the filtered packets counter on the monitor
        screen.  Each filter now has it's own counter to make it
        easier to tell what kinds of packets are being filtered
        without turning on logging of each filtered packet.

o Modified dbfc and dbmgr to support the new features listed above.

o Removed the '-b' switch from the filter compiler.  The manager now
        always expects the compiled data files to be in network byte
        order.

o Fixed a bug in the filter compiler that displayed inaccurate min/avg/
        max values for the number of table entries for each class in
        the generated class table.


**** Version 3.0 Alpha (not publicly released) ****
**** CHANGES (since Drawbridge 2.0.1) ****

o This version is a complete rewrite for the FreeBSD 2.0.1 operating
        system.  A lot has changed from version 2.0 so it will be
        necessary to read all the documentation before setting up
        version 3.0.  Instead of describing all the specific changes,
        I have listed general changes below.

o The Filter program has been completely replaced with a modified
        FreeBSD kernel.  All filtering/bridging is handled inside
        the kernel at the interface layer.  All packet processing
        is interrupt driven for the best possible speed.

o The Filter Manager has been completely rewritten and renamed 'dbmgr'
        (Drawbridge Manager).  The manager now runs on the Drawbridge
        system instead of on a remote system.  Remote management can
        still be accomplished by using ssh (secure shell) to login to
        the Drawbridge system to use dbmgr locally.

o The Filter Compiler has been renamed to 'dbfc' (Drawbridge Filter
        Compiler) and can now be run on the Drawbridge system as well
        as on a remote system.  If it is run remotely, the resulting
        files can be transferred to the Drawbridge system in a secure
        manner using scp (secure copy).

o All Drawbridge management can now be done from the console while the
        system is running.  No packet loss will result from management
        operations because all packet filtering and forwarding is done
        at the interrupt level in the FreeBSD kernel.  If desired,
        remote access can be completely disabled for added security.


**** Version 2.0.1 ****
**** CHANGES (since Drawbridge 2.0) ****

o Ported fm and fc to Linux.


**** Version 2.0 ****
**** CHANGES (since Drawbridge 2.0 Beta) ****

o Changed the behavior of fm when not reading from a terminal. It used
        to throw all output except stderr away. Now it does not throw
        output away. If you wish the output to go to /dev/null use a
        shell redirection.

o Changed the behavior of the -b switch on fc. Since the tools are
        endian clean now, the only use for the switch is for sneakernet
        transfer of the files to Filter.  Therefore Filter Compiler now
        also modifies the filenames of the output files when -b is
        specified so that they are the filenames that Filter expects.

o Removed some definitions that prevented Filter from compiling under
        Borland C++ version 3.

o Made the Makefiles more portable. You now invoke them with the
        platform desired to build fc and fm. Thanks go to Ralph
        Mitchell for providing patches for compilation on AIX.

o Added in syslog support. Thanks go to Klaus-Peter Kossakowski
        and Uwe Ellermann at DFN-CERT for providing much of the
        implementation.

o Cleaned up the syslog support and added in the LogMask. Some
        of the syslogging may get tortuous depending on the kind
        of traffic on the network that Drawbridge is attached to.

o Added optional filtering of TCP IP fragments with suspicious
        offsets and optional filtering of IP protocols other than
        TCP/UDP/ICMP. Thanks go to Klaus-Peter Kossakowski and
        Uwe Ellermann at DFN-CERT for some of this code.


**** Version 2.0 Beta ****
**** CHANGES (since Drawbridge 2.0 Alpha) ****

o NDIS 2.1 from Microsoft rather than NDIS 2.0 from 3Com is now
        included. Thanks go to Alex Li for giving me the pointer to the
        newer version.

o Patches have been made so that fc and fm will now run on little
        endian machines. If you can get fc and fm to compile,
        endianness should not be a problem. Thanks go to Danny Thomas
        for generating the fixes for fc.  (Note that due to the
        extensive amount of changes required, fc and fm do not and will
        not any time soon run on 64 bit architectures (e.g. Alpha).)

o An uptime statistic has been added to the statistics reporting.

o The original paper covering the entire TAMU security package has been
        updated to cover Drawbridge 2.0. It is still not up to date on
        Tiger and Netlog but will be soon.

o Added "retries" and "timeout" variables to the fm user interface.
        When managing a Drawbridge installation that uses floppy disk
        for the storage of the tables, a write can easily timeout. The
        default values are 3 retries and 3 seconds.


**** Version 2.0 Alpha ****
**** CHANGES (since Drawbridge 1.1) ****

o Filter now supports FDDI to FDDI filtering. Note however that
        due to the inherent limitations with bridging on FDDI,
        Filter will only work under a very specific and limited
        configuration. This is documented in the file doc/FILTER.
        Please send email to drawbridge@net.tamu.edu if you have
        further questions.

o Filter now uses NDIS 2.01 DOS drivers. Therefore any Ethernet
        cards or FDDI cards with adequate NDIS drivers can be
        used with Drawbridge 2.0.

o Filter now has an IP protocol stack and the management occurs
        via UDP. This allows the Filter Manager to run on just
        about any Unix platform that has BSD sockets. (Note
        that currently I haven't ported it to platforms other
        than Solaris 2.3.)

o Filter now uses an (as far as we know) exportable Pseudo One
        Time Pad cryptographic scheme for authentication and
        privacy over the management channel.

o Filter now provides statistics from both the console and
        Filter Manager. Both Filter specific and NDIS
        statistics are reported.

o Filter is now interrupt driven rather than polling (forced
        because of NDIS) and performance is better.  With the
        previously recommended setup Filter now produces peak
        transfer rates of approximately 5.5 Mb/sec versus the
        previously measured peak of 3.5 Mb/sec. 10 Mb/sec on
        ethernet should be easily achieved with faster cards,
        buses and CPUs.

        Under FDDI with a 60MHz Pentium and two EISA Network
        Peripherals FDDI cards, data rates up to 18Mb/sec have
        been measured. The actual limit is higher but we do
        not have a reliable testbed capable of generating and
        measuring higher data rates at this time.

o Filter now uses XMS to store the network tables in extended
        memory.  A cache is kept in low memory.

o Filter has a new switch which controls whether or not packets
        other than IP/ARP/RARP are transparently bridged.

o Filter Compiler (and Filter) is backward source and binary
        compatible. Other than bug fixes, no changes have
        been made to the Filter Compiler.

        For Filter, the DES key file is no longer used and
        a new file PASSWORD is maintained.  Also Filter
        Manager no longer uses .fmkey.* files.

o The GNU Copyleft has been removed. This material is now
        covered under a Berkeley/MIT style copyright. I.E.
        you can do anything you want with the code but must
        credit us. See the file COPYING.

o A few commands have been added/changed in the Filter
        Manager. The changes are documented under the help
        system.