246 lines
10 KiB

2.2.1 - 04/17/2021
- Add support for iptables options via IPTABLESOPT and IP6TABLESOPT. These options are
applied at the beginning of the command line options to EVERY instance of $IPTABLES.
Useful for '-w' to deal with xtables lock issues.
2.2 - 04/09/2020
- Add multiport support to acl/forward
2.1p2 - 02/27/2020
- Fix issue with NAT variable not being reset after being changed
2.1p1 - 01/01/2020
- Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details
2.1 Final - 07/12/2019
- Fix flush tables rule for raw
- Final 2.1 release since we've had 2.1 for 5 years now without being 'released'
2.1 Beta 1 - 11/19/2018
- Add run-after and run-before rules (custom/ and custom/
2.1 Alpha 3 - 04/25/2016
- Fix issue with erasing variables in two different setups
- mss clamp fix for fwd target
2.1 Alpha 2 - 03/15/2015
- Unset variables in loops to make sure theres no leakage of
variables into the next run of the loop
- Allow use of 'all' in MSS rules to match all forwarding/out traffic
2.1 Alpha 1 - 11/29/2014
- Added support for custom fields in NAT and ACL rules, as this allows
definition of Policy rules in the ACL files (mostly useful for IPSec)
- NAT rules no longer add accept state rules, should be added in forward.conf
2.01 Alpha 1 - 07/27/2014
- Fix executable bits on .sh files in custom
- Make MSS clamp optional and allow setting MSS size manually
2.00 Release
- Add common options for sysctl/proc tweaking of network settings
- Yay stable release!
2.00 Alpha 3 -
- Give people knobs to tinker with regarding state matching. Kills
multiple birds with one stone.
- forward.conf
- acl.conf
- IPv6 is actually working in this version when you have default policy set to DROP
IPv6 is particularly difficult regarding ICMPv6 - had to put in quite a few
allows by default to make it happy. Going to have to go through the list
and prune it once the code stabilizes.
- rule-save/rule-save6 scripts as beginning of work to be able to cache scripts
may switch to normal iptables-save/iptables-restore if it works better
once I've had time to work on it.
- script finally has most features of firewall/sosdg v1.1, meaning it can
successfully replace firewall/sosdg in most setups, provided you are
willing to redo the config.
- Added config examples here:
- Implemented -f flag for flushing rules and setting iptables back to default
- Fix port forwarding rules so works correctly with FORWARD set to DROP as default
2.00 Alpha 2 - 04/12/2014
- Slightly better documentation
- Kernel module loading - 4/11/2014
- The next two changes affect config files:
- Add syn matching to acl.conf rules - this may break existing rules
- Add syn and port/protocol matching to forward.conf rules - this will not
break existing rules since it adds 4 new options at the end that can
be omitted completely.
- Fix some variable detection rules to be more reliable.
- Fix some rule issues after real life stress testing.
2.00 Alpha 1 - 04/10/2014
- Complete code rewrite and restructure to solve some long standing issues with v1
- Separate out functions into support files for easier grouping of what they do
- Make more compatible with multiple disto file layouts
- Basic functionality implemented:
- Trusted IP source (IPv4/IPv6) - 3/30/2014
- MSS Clamping (IPv4/IPv6) - 3/30/2014
- Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
- Adapted to use conntracking if available - 4/5/2014
- Easy Block functionality (IPv4/IPv6) - 3/31/2014
- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
- NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014
- IPv6 NAT/NETMAP is untested, have no internal use for it,
let me know if works/doesnt
- Forwarding functionality (IPv4/IPv6) - 4/5/2014
- Adapted to use conntracking if available - 4/6/2014
- Deps on Enablev(4|6)ConnectionTracking for NAT functionality - 4/5/2014
- Service functionality (IPv4/IPv6) 4/6/2014
- Port forwarding functionality (IPv4/IPv6) 4/6/2014
- Default policy support (IPv4/IPv6) 4/9/2014
- Add somewhat crude Debian package files, will need to be worked on... - 4/8/2014
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
1.1 - Brielle Bruns <>
- Reorder rules, place allow before block to allow overrides
- Fixes for conntrack rules for better security (added -o/-i)
- Correct some incorrect info in options.default
1.0 - Brielle Bruns <>
- Minor tweaks to various config files
- Fix issue with tweaks loading
- Version 1.0
0.9.14 - Brielle Bruns <>
- IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER)
- Move FORWARD Established,Related rules to inside NAT rules, since without NAT,
we're not really going to need to track connections forwarding through the system.
I can probably be proven wrong if you don't use NAT but use the script for stateful
firewalling with non-RFC1918 IPs....
- Cleanup work on code for v1.0
0.9.13 - Brielle Bruns <>
- Fix location of ipv6 fi statement, moved to end of ipv6 rules
- Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
- Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
- IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
0.9.12 - Brielle Bruns <>
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
block incoming to.
- Add support for allowing IPV6 critical ICMP messages, on by default
- Add support for interception of IPv4 packets, aka transparent proxy
- Add beginning support for error checking of variable inputs, still not functional yet.
- Test if we are using at least bash 3.x, since some of the more advanced features
we are using to make this script work don't work too well with bash < 3.0 or dash.
0.9.11 - Brielle Bruns <>
- Move some of the config clutter to conf/ - you can
put your config files anywhere, but by default, they're
now going to be in conf/
- Beginning work on configuration tool. If it ever
gets completed is a whole different story. :)
- Option to use state or conntrack module for state tracking.
By default, use conntrack.
- After some research, we seem to not need NEW state match in FORWARD
- Auto detect default gateway interface and IP of interface. Has potential problems
if run before we've got a default interface, so manually define EXTIF to be sure, and
things should be okay. This is mostly for people with dynamic IPs.
0.9.10 - Brielle Bruns <>
- Move clamp mss up earlier in the rules to possibly
fix an issue I noticed during testing
- Move icmp allow code
- Prevent duplicate icmp allow rules in NAT code
- NETMAP support in NAT code
0.9.9a - Brielle Bruns <>
- Minor bug fixes for my coding errors introduced in
the change of IPv6 variables
0.9.9 - Brielle Bruns <>
- Loadable module support during firewall loading
- More init script fixes.
- Non-conntracked DNS reply packets allow options
- Slightly improved IPv6 support to start to bring
it up to par with IPv4 support.
- ipv6 marking support, changed ipv4 to use | instead of :
- Renamed IPV6 variables, please read INSTALL file about conversion of config file
to new format.
0.9.8a - Brielle Bruns <>
- Fixing executable file permission issues
- Use /bin/bash in initscript cause dash does not recognize
more advanced methods that bash can use. Oops. Easiest
way to keep up to date is to symlink /etc/init.d/firewall-sosdg
to /etc/firewall-sosdg/doc/firewall-sosdg.init
0.9.8 - Brielle Bruns <>
- Almost at v1.0 quality for my tastes
- BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
- Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7
hammering DHCP server for unknown reason?
- Cleanups
- No longer display list of blocked IPs, considering if they are
as long as my list is, they'll take 4 pages to display...
- New block file format, much more capable now, thanks to
an hour or two of improving my bash scripting skills to the
point where I can do more complex breakdowns of formats
- Rename blocked to ipv4-blocked since we're going to have
ipv6 support
- ipv6 blocking support. Different format for config file
because IPv6 uses :, which means we get to use | for both
ipv4 and ipv6 (goes against a previous commit)
0.9.7 - Brielle Bruns <>
- Support for marking packets, uses new config file and
IPv4_MARK file option
- MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of
arp requests on Linux
- Allow use of multiport iptables module to reduce amount of rules
0.9.6 - Brielle Bruns <>
- Minor changes to procedures in planning of 1.0
0.9.5 - Brielle Bruns <>
- Makefile to automate building tarball and for future use
- More changes to port-forwards file to support source IP and external IP (existing
config _will_ be incompatible)
0.9.4 - Brielle Bruns <>
- Initscript
- stop-firewall for... stopping the firewall!
- Code cleanups
- Use of functions for some processes
- Fix DHCP rule
- Added NAT_RANGE which can take SNAT/MASQ rules
- Changed port forwarding rules to include external interface
0.9.3 - Brielle Bruns <>
- Misc tweaks and reorg
- Custom command files
0.9 - Brielle Bruns <>
- Colorize output
- Added outbound port blocking options
0.8 - Brielle Bruns <>
- IPv6 Connection Tracking fixes
- Strip ECN off of specific outbound packets
0.7 - Brielle Bruns <>
- MSS Clamp on IPv6
- MSS Fixes, yes, its ugly
- Beginning support for bogons filtering and updater
script. Does not work yet, so don't use.
0.6 - Brielle Bruns <>
- Fixed some potential ordering issues with NAT
- Added file for blocked IPs, plus new config option
0.5 - Brielle Bruns <>
- Fixing ipv6 UDP firewalling rules
- Fixing IPv6 client routing block rules
- Added new IPV6LAN interface option
0.4 - Brielle Bruns <>
- Added support for pre-run commands
- Fixed several bugs with NAT commands