Release Notes:
==============

05/17/2003 (v0.82)

No one's complained seriously about the nightly lately, so we're releasing
it for lack for anything better to do! Not sure how it got to be ten
months since the last minor version. Oops. Here's some of the stuff
that's been added since then.

* Added DESTDIR option to Makefile to assist with packaging.

* Added auth source support for NIS and IMAP, and made substantial
improvements to the RADIUS, LDAP, and PAM support, almost entirely due
to patches sent by our amazing users. You guys rock. PAM support is
still a little flaky, apparently. We're still working on it.

* Made logging to disk optional again.

* Gateway now resets log files on SIGHUP if it's logging locally. This
can be used in conjunction with log rotation schemes.

* Added IgnoreMAC gateway option, if the NoCat gateway isn't connected
to the internal network at Layer 2.

* Added DNS autoconfiguration via /etc/resolv.conf, using a patch from
DJ Gregor.

* Altered authserv.conf to support pgsql out of the box and to document
the enhanced RADIUS support.

* NoCatAuth now features a setuid firewall wrapper so that the gateway
can be run as a user other than root. Run "make suid-gateway" to build
NoCat with the suid wrapper. You will need a copy of gcc handy for
this step. All praise Terry Schmidt for dreaming up the idea in the
first place.

* Open mode g/w now automatically parses any HTML files it delivers for
$whatnot type variables. This will permit the NYCWireless folks to have
the login page be different from the splash page.

* Added -F command-line option to gateway, to prevent daemonization.

-=-=-=-=-=-=-=-

07/07/2002 (v0.81)

		*** IMPORTANT ***

If you're upgrading from 0.80, Read the README!!!

		*** IMPORTANT ***

Lots of nifty updates for 0.81.  New features:

* Samba, LDAP, and PAM authentication sources are now supported (and, in
some cases, greatly improved.)  Thanks to Scott Lemon (for his deadly ninja
LDAP fu), Martin Davidsson (for Radius.pm fixes).

* Greatly improved pf support, largely due to contributions from Richard Lotz
and DJ Gregor.

* Completely rewritten firewall scripts for iptables.  The new method sets
NoCat_* chains and manipulates them, and adds a single jump out to them. 
This makes it much easier to run the gateway on an existing firewall,
without mangling your firewall rules.  The gateway script also cleans itself
up on exit, (theoretically) leaving your original firewall rules as they
were.

* Status page support in Captive/Passive mode (http://gateway:5280/status
now works, just like it did in Open mode.)

The following bugs were hopefully squashed:

* Passwords are once again hashed before being stuck into MySQL (big oops in
v0.80).

* IE6 redirect problems are all resolved.

* Auto discovery of network devices and network numbers should be a bit more
stable.

* Diagnostic mode (-D) shouldn't eat all resources anymore

* AllowedWebHosts and RouteOnly should now work as advertised.

* Fixed a nasty situation where a user who changed their IP got caught in a
capture loop.

-=-=-=-=-=-=-=-

05/06/2002 (v0.80)

Ugh, two months since our last release... :-( Well, a number of factors have
intervened to make thorough testing temporarily difficult, and there have
been some particularly pesky bugs that we wanted to knock out before
continuing on our merry way. Some really exciting things have transpired
since then, however.

Fixed in this release:

* Bugginess in network autoconfiguration has been fixed. Autoconfig should
do the right thing if you've only got two network interfaces; otherwise, bet
on having to at least set your InternalDevice.

* The dreaded IE5/6 incompatibility with Passive mode appears to have been
fixed. Other browsers, such as OmniWeb, appear to be a lot happier with
Passive mode, now, too.

New in this release:

* Basic packetfilter support added for OpenBSD, thanks to Richard Lotz! This
support has NOT YET been thoroughly tested, so your feedback would really be
appreciated.

* New Open mode status page, based on patches from Don Park and Michael
Codanti, and recommendations from Andrew Woods. Way cool.

* Loopback firewall mode, which should in theory permit testing of the NoCat
gateway and authservice all on a single machine running iptables with no
network.  You can set up loopback mode by doing an ordinary "make gateway",
followed by "bin/detect-fw.sh loopback bin/" from /usr/local/nocat. Please
don't use this unless you really know what you're doing.

* Added LDAP support, using a NoCat::Source driver written by Nathan Zorn.
We don't have an LDAP server, so you'll have to test this and let us know if
it works, and send patches if it doesn't. :-)

* Added RADIUS support, based on sample code submitted by Jan-Patrick
Perisse. We don't have a RADIUS server, either, so please let me know if
this works! :-)

* The NoCat gateway now by default uses a post-forking model to handle
incoming client requests, which appears to have made the gateway
significantly more stable on PersonalTelco's public nodes. You can turn this
off (don't ask me why you'd want to, but you can) by adding "ForkOff 0" to
your nocat.conf.

-=-=-=-=-=-=-=-=-=-

03/07/2002 (v0.78)

Major bug fixes.

* Captive mode fixed. (Oops.)

* Passive mode really works now. If you run an authservice, it will need
the new renew_pasv.html form, plus a PassiveRenewForm directive that points
to it. See the latest authserv.conf for an example. I haven't tested passive
mode with every available browser, so the login renewal may not work with
every JavaScript implementation. If not, patches welcome. :-) The basic
gist, though, is that, using passive mode, you can now run NoCatAuth from
behind a NAT'ed firewall. (Hooray!)

* Automatic network discovery has been added! Through the magic of ifconfig
and netstat, NoCatAuth can now detect most gateway configurations
automatically. This makes InternalDevice, ExternalDevice, and LocalNetwork
optional in your nocat.conf, *unless* NoCat can't figure out what's going
on.

* Due to popular demand, you can now (once again?) run your gateway and your
authservice on the same machine. They should be installed to separate
directories, however. Of course, use of this feature is not recommended
for security reasons, but it will let you try out NoCatAuth without having
to set up multiple machines.

