You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

245 lines
10 KiB

4 months ago
5 years ago
6 years ago
6 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
  1. 2.2.1 - 04/17/2021
  2. - Add support for iptables options via IPTABLESOPT and IP6TABLESOPT. These options are
  3. applied at the beginning of the command line options to EVERY instance of $IPTABLES.
  4. Useful for '-w' to deal with xtables lock issues.
  5. 2.2 - 04/09/2020
  6. - Add multiport support to acl/forward
  7. 2.1p2 - 02/27/2020
  8. - Fix issue with NAT variable not being reset after being changed
  9. 2.1p1 - 01/01/2020
  10. - Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details
  11. 2.1 Final - 07/12/2019
  12. - Fix flush tables rule for raw
  13. - Final 2.1 release since we've had 2.1 for 5 years now without being 'released'
  14. 2.1 Beta 1 - 11/19/2018
  15. - Add run-after and run-before rules (custom/runafter.sh and custom/runbefore.sh)
  16. 2.1 Alpha 3 - 04/25/2016
  17. - Fix issue with erasing variables in two different setups
  18. - mss clamp fix for fwd target
  19. 2.1 Alpha 2 - 03/15/2015
  20. - Unset variables in loops to make sure theres no leakage of
  21. variables into the next run of the loop
  22. 04/09/2015
  23. - Allow use of 'all' in MSS rules to match all forwarding/out traffic
  24. 2.1 Alpha 1 - 11/29/2014
  25. - Added support for custom fields in NAT and ACL rules, as this allows
  26. definition of Policy rules in the ACL files (mostly useful for IPSec)
  27. - NAT rules no longer add accept state rules, should be added in forward.conf
  28. manually
  29. 2.01 Alpha 1 - 07/27/2014
  30. - Fix executable bits on .sh files in custom
  31. - Make MSS clamp optional and allow setting MSS size manually
  32. 2.00 Release
  33. - Add common options for sysctl/proc tweaking of network settings
  34. - Yay stable release!
  35. 2.00 Alpha 3 -
  36. - Give people knobs to tinker with regarding state matching. Kills
  37. multiple birds with one stone.
  38. - forward.conf
  39. - acl.conf
  40. - IPv6 is actually working in this version when you have default policy set to DROP
  41. IPv6 is particularly difficult regarding ICMPv6 - had to put in quite a few
  42. allows by default to make it happy. Going to have to go through the list
  43. and prune it once the code stabilizes.
  44. - rule-save/rule-save6 scripts as beginning of work to be able to cache scripts
  45. may switch to normal iptables-save/iptables-restore if it works better
  46. once I've had time to work on it.
  47. - script finally has most features of firewall/sosdg v1.1, meaning it can
  48. successfully replace firewall/sosdg in most setups, provided you are
  49. willing to redo the config.
  50. - Added config examples here: http://www.sosdg.org/software/srfirewall/examples
  51. - Implemented -f flag for flushing rules and setting iptables back to default
  52. - Fix port forwarding rules so works correctly with FORWARD set to DROP as default
  53. 2.00 Alpha 2 - 04/12/2014
  54. - Slightly better documentation
  55. - Kernel module loading - 4/11/2014
  56. - The next two changes affect config files:
  57. - Add syn matching to acl.conf rules - this may break existing rules
  58. - Add syn and port/protocol matching to forward.conf rules - this will not
  59. break existing rules since it adds 4 new options at the end that can
  60. be omitted completely.
  61. - Fix some variable detection rules to be more reliable.
  62. - Fix some rule issues after real life stress testing.
  63. 2.00 Alpha 1 - 04/10/2014
  64. - Complete code rewrite and restructure to solve some long standing issues with v1
  65. - Separate out functions into support files for easier grouping of what they do
  66. - Make more compatible with multiple disto file layouts
  67. - Basic functionality implemented:
  68. - Trusted IP source (IPv4/IPv6) - 3/30/2014
  69. - MSS Clamping (IPv4/IPv6) - 3/30/2014
  70. - Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
  71. - Adapted to use conntracking if available - 4/5/2014
  72. - Easy Block functionality (IPv4/IPv6) - 3/31/2014
  73. - ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
  74. - NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014
  75. - IPv6 NAT/NETMAP is untested, have no internal use for it,
  76. let me know if works/doesnt
  77. - Forwarding functionality (IPv4/IPv6) - 4/5/2014
  78. - Adapted to use conntracking if available - 4/6/2014
  79. - Deps on Enablev(4|6)ConnectionTracking for NAT functionality - 4/5/2014
  80. - Service functionality (IPv4/IPv6) 4/6/2014
  81. - Port forwarding functionality (IPv4/IPv6) 4/6/2014
  82. - Default policy support (IPv4/IPv6) 4/9/2014
  83. - Add somewhat crude Debian package files, will need to be worked on... - 4/8/2014
  84. =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
  85. 1.1 - Brielle Bruns <bruns@2mbit.com>
  86. - Reorder rules, place allow before block to allow overrides
  87. - Fixes for conntrack rules for better security (added -o/-i)
  88. - Correct some incorrect info in options.default
  89. 1.0 - Brielle Bruns <bruns@2mbit.com>
  90. - Minor tweaks to various config files
  91. - Fix issue with tweaks loading
  92. - Version 1.0
  93. 0.9.14 - Brielle Bruns <bruns@2mbit.com>
  94. - IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER)
  95. - Move FORWARD Established,Related rules to inside NAT rules, since without NAT,
  96. we're not really going to need to track connections forwarding through the system.
  97. I can probably be proven wrong if you don't use NAT but use the script for stateful
  98. firewalling with non-RFC1918 IPs....
  99. - Cleanup work on code for v1.0
  100. 0.9.13 - Brielle Bruns <bruns@2mbit.com>
  101. - Fix location of ipv6 fi statement, moved to end of ipv6 rules
  102. - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
  103. to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
  104. - Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
  105. - IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
  106. 0.9.12 - Brielle Bruns <bruns@2mbit.com>
  107. - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
  108. block incoming to.
  109. - Add support for allowing IPV6 critical ICMP messages, on by default
  110. - Add support for interception of IPv4 packets, aka transparent proxy
  111. - Add beginning support for error checking of variable inputs, still not functional yet.
  112. - Test if we are using at least bash 3.x, since some of the more advanced features
  113. we are using to make this script work don't work too well with bash < 3.0 or dash.
  114. 0.9.11 - Brielle Bruns <bruns@2mbit.com>
  115. - Move some of the config clutter to conf/ - you can
  116. put your config files anywhere, but by default, they're
  117. now going to be in conf/
  118. - Beginning work on configuration tool. If it ever
  119. gets completed is a whole different story. :)
  120. - Option to use state or conntrack module for state tracking.
  121. By default, use conntrack.
  122. - After some research, we seem to not need NEW state match in FORWARD
  123. - Auto detect default gateway interface and IP of interface. Has potential problems
  124. if run before we've got a default interface, so manually define EXTIF to be sure, and
  125. things should be okay. This is mostly for people with dynamic IPs.
  126. 0.9.10 - Brielle Bruns <bruns@2mbit.com>
  127. - Move clamp mss up earlier in the rules to possibly
  128. fix an issue I noticed during testing
  129. - Move icmp allow code
  130. - Prevent duplicate icmp allow rules in NAT code
  131. - NETMAP support in NAT code
  132. 0.9.9a - Brielle Bruns <bruns@2mbit.com>
  133. - Minor bug fixes for my coding errors introduced in
  134. the change of IPv6 variables
  135. 0.9.9 - Brielle Bruns <bruns@2mbit.com>
  136. - Loadable module support during firewall loading
  137. - More init script fixes.
  138. - Non-conntracked DNS reply packets allow options
  139. - Slightly improved IPv6 support to start to bring
  140. it up to par with IPv4 support.
  141. - ipv6 marking support, changed ipv4 to use | instead of :
  142. - Renamed IPV6 variables, please read INSTALL file about conversion of config file
  143. to new format.
  144. 0.9.8a - Brielle Bruns <bruns@2mbit.com>
  145. - Fixing executable file permission issues
  146. - Use /bin/bash in initscript cause dash does not recognize
  147. more advanced methods that bash can use. Oops. Easiest
  148. way to keep up to date is to symlink /etc/init.d/firewall-sosdg
  149. to /etc/firewall-sosdg/doc/firewall-sosdg.init
  150. 0.9.8 - Brielle Bruns <bruns@2mbit.com>
  151. - Almost at v1.0 quality for my tastes
  152. - BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
  153. - Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7
  154. hammering DHCP server for unknown reason?
  155. - Cleanups
  156. - No longer display list of blocked IPs, considering if they are
  157. as long as my list is, they'll take 4 pages to display...
  158. - New block file format, much more capable now, thanks to
  159. an hour or two of improving my bash scripting skills to the
  160. point where I can do more complex breakdowns of formats
  161. - Rename blocked to ipv4-blocked since we're going to have
  162. ipv6 support
  163. - ipv6 blocking support. Different format for config file
  164. because IPv6 uses :, which means we get to use | for both
  165. ipv4 and ipv6 (goes against a previous commit)
  166. 0.9.7 - Brielle Bruns <bruns@2mbit.com>
  167. - Support for marking packets, uses new config file and
  168. IPv4_MARK file option
  169. - MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of
  170. arp requests on Linux
  171. - Allow use of multiport iptables module to reduce amount of rules
  172. 0.9.6 - Brielle Bruns <bruns@2mbit.com>
  173. - Minor changes to procedures in planning of 1.0
  174. 0.9.5 - Brielle Bruns <bruns@2mbit.com>
  175. - Makefile to automate building tarball and for future use
  176. - More changes to port-forwards file to support source IP and external IP (existing
  177. config _will_ be incompatible)
  178. 0.9.4 - Brielle Bruns <bruns@2mbit.com>
  179. - Initscript
  180. - stop-firewall for... stopping the firewall!
  181. - Code cleanups
  182. - Use of functions for some processes
  183. - Fix DHCP rule
  184. - Obsoleted NATRANGE, NATEXTIP, NATEXTIF
  185. - Added NAT_RANGE which can take SNAT/MASQ rules
  186. - Changed port forwarding rules to include external interface
  187. 0.9.3 - Brielle Bruns <bruns@2mbit.com>
  188. - Misc tweaks and reorg
  189. - Custom command files
  190. 0.9 - Brielle Bruns <bruns@2mbit.com>
  191. - Colorize output
  192. - Added outbound port blocking options
  193. 0.8 - Brielle Bruns <bruns@2mbit.com>
  194. - IPv6 Connection Tracking fixes
  195. - Strip ECN off of specific outbound packets
  196. 0.7 - Brielle Bruns <bruns@2mbit.com>
  197. - MSS Clamp on IPv6
  198. - MSS Fixes, yes, its ugly
  199. - Beginning support for bogons filtering and updater
  200. script. Does not work yet, so don't use.
  201. 0.6 - Brielle Bruns <bruns@2mbit.com>
  202. - Fixed some potential ordering issues with NAT
  203. - Added file for blocked IPs, plus new config option
  204. 0.5 - Brielle Bruns <bruns@2mbit.com>
  205. - Fixing ipv6 UDP firewalling rules
  206. - Fixing IPv6 client routing block rules
  207. - Added new IPV6LAN interface option
  208. 0.4 - Brielle Bruns <bruns@2mbit.com>
  209. - Added support for pre-run commands
  210. - Fixed several bugs with NAT commands