Brief history of changes made to this software:

March 1997 to present - FWTK 2.0+

  Add "pdf" to list of binary file types in http-gw

  Fix typo in syslog.c that was causing builds to fail
  when USE_UDP_SYSLOG defined

  Fix syslogd signal handling botch that leads to syslogd
  crash.

  Correct SYSV switching in smap to remove wait3() reference

  Fix off-by-one check in syslog 

  Fix skey prompting

  Fix authsrv "onetime" parsing/setting

  Correct tn-gw daemon argument processing

  Fix hostmatch() core dump

  Read plug-gw rules using service name, then "plug-gw"

Fixes since 2.0a beta:

  Add patches for AIX 3.x from Pavel P. Zabortsev <ppz@cdu.elektra.ru>

  Fix plug-gw service name rules to look for "plug-gw" lines if
  there's no service name lines.

  Fix various compile warnings and typos found during test.

September, 1996 to January 1997- FWTK 2.0
  Fixes to Linux makefile configuration to try to support
  more variants of Linux. (Especially the dbm library.)

  Clean up README references - especially to suggested mail
  addresses.

  Fix authadduser.sh argument order (the "password" command was
  reversed.)

  Always warn when authdump/authload can't read netperm-table.

  Fix syslog() calls to limit string lengths to avoid buffer
  overflows.

  Fix several buffer termination bugs in authload

  Fix command abiguity bug in authmgr/authsrv

  Remove gets() call in authmgr (replace with fgets() call)

  Fix buffer overflow possibility in authmgr password change

  Rationalize authsrv time checking code

  Fix "enable user one-time" command

  Fix wizard checking in list commands so it works as expected
  (group wizards can check their group only.)

  Clean up authsrv client IO module

  Fix authsrv database routines to open/close when necessary;
  make sure files are closed when done.

  Add SCO5 and OSF/1 conditionals and configuration files

  Allow ftp-gw to be a daemon on other than the normal FTP port

  Fix ftp-gw telnet options processing for IAC IAC, etc.

  Add additional characters to the http-gw reserved list
  (characters that http-gw doesn't change in URLs.)

  Change all http-gw FTP users to "http-gw@host".

  Add "%m" to several http-gw error reports so more detail is available

  Fix netperm-table reader so an unterminated last line in the
  netperm-table is not fatal

  Add hostname length checking in DNS calls

  Fix character set bugs in enargv(); correct several parsing
  errors.

  Improve portability of getpassword() code

  Don't allow empty string to map to UID 0 (root)

  Fixes for syslog() overflow bugs - make buffer static (not on
  the stack), increase buffer size. On overflow bail out.

  Fix port handling in plug-gw so that the target port number is
  not overwritten

  Fix plug-gw destination permit handling

  Fix smap message limit code (552, not 550).
  Correct smap end-of-message handling.

  Change smapd child handling to not use SIGCHLD - poll
  when processing messages instead.

  Properly parse addresses (including route addresses) for
  bad formats. Allow "/" with following whitespace.

  Allow "-daemon" for telnet-gw to permit listening on other
  ports (not just 23).

  Fix telnet options processing

  Fix invalid timeout handling in tn-gw (don't change the timeout).

  Don't allow tn-gw options buffer to overflow

  Remove "mercury.hsi.com" from deny-summ.sh reporting script.

  Fix syslogd signal handling to allow POSIX signals

March, 1996 to September, 1996 - FWTK 2.0 beta

  Centralize configuration differences in Makefile.config and provide
  example copies for BSD/OS, SunOS, Solaris, HPUX.

  Update BSD "fixmake" script to reference Makefile.config, not insert
  it (so that edits to Makefile.config don't require a redundant
  fixmake unfix;fixmake pass).

  Fix porting problems on Solaris, HP-UX.

  Apply authsrv bug to permit extended auth to work

  Fix ftp-gw messages to remove extra null character

  Correct ftp-gw deny message to log then correctly report the
  denial to the client

  Add "+" to list of HTTP reserved characters

  Increase max URL length to 4096 bytes

  Add Carl Claunch's java/javascript/ActiveX filtering to http-gw

  Fix net_write to not error out on zero byte writes

  Block persistent connection attempts

  Upgrade http-gw internal icons (fix Netscape bug)

  Make peername unknown non-fatal

  Background proxy and become process group leader when operating
  a proxy in '-daemon' mode

  Add pattern matching for a single IP address digit (?)

  Fix IP options checking to not hardwire FD 0

  Add ssl tunneling support to http-gw (-ssl on plug-gw line in
  netperm-table).

  Remove trailing nulls in rlogin-gw messages

  Handle overlong host addresses in rlogin, tn-gw

  Add missing newline to smap "Received" line

  String backquotes from mail addresses

  Fix smap temp file handling

  Update smapd waiting to allow multiple children

  Update smapd error handling to minimize looping messages

  Update bad address parsing code to allow additional valid addresses

  Update tn-gw echo negotiation to avoid connect hangs

  Remove trailing nulls from message strings in tn-gw

  Fix "printf" vs "sprintf" botch in x-gw

  Correct x-gw message handling (add newlines, etc.)


Nov 5, 1994 to March, 1996 - Fixes to V1.3
  Changed to allow System V (Solaris) compile

  Fixes to authsrv/authmgr to replace password prompting with
  our own routine (allowing > 8 char passwords) and to permit
  an authorization routine more flexibility in prompting.

  Properly handle too-long lines in netperm-table

  Handle multi-homed hosts in connects (try each address until one
  works).

  Allow all proxies to run as daemons (no longer need to use inetd)

  replace sys_errlist[errno] references with strerror() calls for
  portability.

  Fix urgent handling to use proper fd in SIOCPGRP ioctl call

  Add strerror() and inet_ntoa() source to libfwall directory for
  systems that don't have them.

  Add option to rlogin-gw to automatically start an X session.

  Add timeout processing to rlogin-gw.

  Fix SMAP to allow multiple deliveries in a single transaction.

  Correct SMAPD error/exit handling.

  Make peername() return non-zero on failures.

  Remove duplicate entries in ftp-gw operations table.

  Correct netacl setuid() using a group id (call setgid instead).

  Fix smapd file mode check.

  Fix smapd empty file warning message to not report errno when
  inappropriate.

  Fix ftp-gw cpu loop on connect failures.

  Ensure ftp-gw deny messages get syslog'd.

  http-gw: Fix incorrect quoting in split anchors.

  http-gw: Fix incorrect handling of bad URLs with three / chars

  Use proper fd when querying peername in x-gw.

  Fix http-gw FTP directory listing to strip "*", "@", etc. from
  listings

  Fix core dump when smapd tries to report an unexpected envelope.

  http-gw: disallow embedded newlines in gopher URLs

  Fix stuck http-gw processes (waiting for a read that will never
  complete).

  Add security proxy handoff to http-gw

  Add common default timeout definition to firewall.h

Feb 21 - Nov 5, 1994  - Fixes to V1.2
-------------------------------------

  Added DISCLAIMER -- READ it.

  Added much better header parsing code to smapd (by Wietse Venema)

  Added http proxy

  Added X-windows gateway, and x-gw option in tn-gw and rlogin-gw

  Took out the "loghost" option in syslog.c

  Modified smapd to do more sensible things with its queue. It
  will now keep a limited number of children going at a time,
  and will not completely bury the system on startup after a
  delay.

  Fixed netperm-table reading code to handle all blank lines.

  Fixed timeout code in ftp-gw to be more forgiving of systems
  that decrement the passed timeout value.

  Revamping of Makefiles to include a master Makefile.config.
  Please see comments in Makefile.config.

  Added ip-options detection based on 4.4bsd sources for rlogind.

  Moved the "struct direct" configuration option for smapd into
  firewall.h -- see the comments near where it says DIRECT_STRUCT

  Added improved(I hope!) options negotiation that works better
  with TN3270 and other telnet clients.

  Added checksum printing code to snkkey.c

  Moved the smapd compile directive to scan for bad addresses
  to firewall.h -- see the comments near where it says
  SMAPD_SCANBADADDR

  Clarifications: system log entries now are tagged with
  relevance strings for sorting and searching. If the system
  log entry contains the word:
  "securityalert" -- it's probably something you want to know about
  "fwtkcfgerr" -- a firewall toolkit component thinks it is misconfiged
  "fwtksyserr" -- something in how the fwtk uses the O/S failed in
    a mission-critical way
  Using facilities and levels would be easier but this guarantees
  that other system alerts won't clash with toolkit notices.

  Changed Makefiles to rely on top-level FLAGS and AUXLIBS
  parameters. This makes it easier to add global system
  libraries such as -lresolv or -lsocket, etc.

  Updated README

  Fixed ordering bug in search for permitted destinations
  in cmd_passthrough() of ftp-gw

  Fixed byte count not getting updated by tn-gw when in
  raw mode

  Fix to reset curbytes and currecip in smap upon start
  of new message body (DATA command)

  Added FWTK_VERSION string to firewall.h and included a
  reference to it in lib/config.c, which is linked into
  just about all components of the toolkit. Do a:
  strings file | grep -i toolkit
  to extract it

  Fixed minor pointer problem with "localhost" mapping in ftp-gw

  Added deny connect logging to tn/rlogin/ftpgw

  Added ftp-gw summarizer

  Fixed minor problem in auth/db.c where it failed to check for
    an already closed db in authload

  Added authdump and authload to "make install" target for auth

  Fixed loop drop-out in tn-gw where it failed to let you change
  your s/key password [Remy.Giraud@meteo.fr]

  Modified ftp-gw to exit and log an error if given improper
  configuration options.

  Made authsrv log at LFAC instead of LOG_USER

  S/key challenge now uses spaces instead of quotes, for termkey
  users. (nmh@thumper.bellcore.com)

  Revampment of reporting scripts in tools/admin/reporting


Oct 29, 1993 - Feb 17, 1994 - Fixes to V1.1
-------------------------------------------

  Added a general purpose routine for setting out of band
  signalling (HP/UX and SunOs do it differently). See
  firewall.h

  *updated* user's guide, admin guide, and overview slightly.

  Support rand() interface for systems too crippled to use
  random()

  Changed mapu() to better named mapuid() and added ability
  to set group values as well.

  Included AIX authentication module to talk to auth server.
  (Morten.Hermanrud@ibmuio.uio.no)

  Added support for Enigma Logics Silver Card. (AUTHPROTO_ENIGMA)

  Updated version numbers in rlogin-gw, smap, tn-gw, ftp-gw.

  Changed smapd to fopen() files with "r+" -- System V
  file locking requires [at least on SCO] seekability
  on the file. smap does not share this problem if
  using the provided version on mkstemp().

  Removed unnecessary berklisms (fchmod and ftruncate) from
  smap in an attempt to make it more agreeable to sysV machines.

  Fixed minor oversight in options processing in oktotalkto()
  in tn-gw

  Fixed array offset bug in stash_option in tn-gw

  Fixed "password" length compares in source and docs

  Added update to securid client side to work with latest ACE software

  Fixed ftpd to not permit users without password entries to attempt
  to login

  Added hook into ftp-gw to check for command argument to treat
  as a username. This, combined with an ftpd that supports it permits
  ftpd to exec the ftp-gw if it finds an '@' in the user name.
  Added changes to the user() command in the ftpd in tools/server/ftpd

  Added "user@" through proxy to explicitly mean "localhost"

  Added logic to strip first null byte if first byte is null going
  through telnet proxy. This appears to be a bug in some versions
  of telnet, but the exact nature of it remains unknown. The null
  byte was confusing to some telnet servers, so this appears to be
  an effective, inexpensive, though somewhat ad hoc patch.

  Fixed login-sh to set $SHELL environment variable

  Removed truncation bug in tn-gw that chopped long destination
  names at 20 chars

  Fixed an exit(1) in login-sh that should have been return(1)

  Added welcome banner to rlogin-gw


Oct 22-29, 1993 - Fixes to V1.0
-------------------------------
  Fixed synchronization problem with how FTP proxy talks to
  the authentication server.

  Changed all proxies that use authentication (rlogin-gw, tn-gw,
  ftp-gw) to exit if they have an incorrectly configured option. 
  This was deemed proper, since if someone wants to configure
  authentication, and doesn't get the syntax correct, the proxy
  should fail to work at all, rather than working without using
  authentication.

  Changed rlogin-gw to reset local user identity to whomever the
  user authenticated as, if using authentication server.

  Fixed local/global declaration of confp in crypto/cliio.c

  Re-arranged parameter order for password command in authsrv to
  match order of other commands. Somewhat beefed up diagnostic
  messages.

  Major revamping of how tn-gw lies to the client. No more timers
  and all that stuff. I don't know why I didn't think of doing it
  this way before. Works lots better.

  Made the FTP proxy a little more flexible in its handling of
  responses to challenges. It turns out that challenges with
  whitespace in them make some FTP clients unhappy, which
  raised all manner of quoting issues.

  Made FTP proxy handle "USER" command more sensibly with
  authentication, to replace the somewhat awkward "quote auth user"
  approach.

  Updated docs. Added words on rlogin proxy to user's guide.
  Adjusted man pages.

  Removed logentry and logfile options from smap and netacl.
  Everything should use one logging mechanism: syslog.

  Fixed return() that should have been continue; in login-sh,
  which caused it to exit on comments.

  Fixed handling of "baddir" in smapd.

  Changed auth server issuance of bogus challenge to be optional.
  This means that the auth server protocol now must recognize
  that the responses to an "authenticate username" may now be:
  password
  challenge challengestring
  <other text>
  Where the other text is some form of error message. This change
  was reflected in tn-gw, rlogin-gw, ftp-gw, ftpd, and login-sh
  as well as the documentation.

  Added comment to auth protocol, to permit proxies to give
  better logging information to the server. Now all proxies
  send:
  "authorize username 'comment'"
  which is logged. This entailed changes to authsrv and all
  clients. Change is backwards compatible with existing code.

  Added out of band signal support to rlogin-gw so that window
  size changes now propagate correctly. Note that some systems
  without fcntl F_SETOWN will now have to adapt code.

  Added hooks to drop tn-gw into a "raw" mode when talking to
  non-telnet ports through the proxy. This works OK with many
  versions of telnet but some do not function properly because
  they are broken in the first place (Sun's PC-NFS telnet
  client doesn't map cr/lf right)

  smapd's notion of where the sendmail executable resides is
  now configurable.

  Fixed offset bug in -dest !hosts in tn/ftp/rlogin-gw and documented
  the '!' hosts feature (which was present but broken and undocumented
  in V1.0)

  Added more sample config files to config, including some samples from
  TIS' bastion host.

  Changed smap/smapd to no longer operate on publicly readable
  files.

  Added a sleep timeout to authentication failures (see "badsleep"
  in the man page for authsrv. Instead of locking a user account
  permanently, by configuring badsleep, you can disable account
  locking, or set it to a 5 minute (or whatever) lockout.

  Added "SCANBADADDR" option to smapd. If this is configured in
  the smapd makefile, it will perform a draconian translation
  of all '|' characters found in the message envelope (not header)
  to '#' characters.

  Fixed a bug in how "unknown" was processed.

  Fixed conn.c to check rbuf != null, which caused a core dump. :(