You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

241 lines
10 KiB

  1. 2.2 - 04/09/2020
  2. - Add multiport support to acl/forward
  3. 2.1p2 - 02/27/2020
  4. - Fix issue with NAT variable not being reset after being changed
  5. 2.1p1 - 01/01/2020
  6. - Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details
  7. 2.1 Final - 07/12/2019
  8. - Fix flush tables rule for raw
  9. - Final 2.1 release since we've had 2.1 for 5 years now without being 'released'
  10. 2.1 Beta 1 - 11/19/2018
  11. - Add run-after and run-before rules (custom/runafter.sh and custom/runbefore.sh)
  12. 2.1 Alpha 3 - 04/25/2016
  13. - Fix issue with erasing variables in two different setups
  14. - mss clamp fix for fwd target
  15. 2.1 Alpha 2 - 03/15/2015
  16. - Unset variables in loops to make sure theres no leakage of
  17. variables into the next run of the loop
  18. 04/09/2015
  19. - Allow use of 'all' in MSS rules to match all forwarding/out traffic
  20. 2.1 Alpha 1 - 11/29/2014
  21. - Added support for custom fields in NAT and ACL rules, as this allows
  22. definition of Policy rules in the ACL files (mostly useful for IPSec)
  23. - NAT rules no longer add accept state rules, should be added in forward.conf
  24. manually
  25. 2.01 Alpha 1 - 07/27/2014
  26. - Fix executable bits on .sh files in custom
  27. - Make MSS clamp optional and allow setting MSS size manually
  28. 2.00 Release
  29. - Add common options for sysctl/proc tweaking of network settings
  30. - Yay stable release!
  31. 2.00 Alpha 3 -
  32. - Give people knobs to tinker with regarding state matching. Kills
  33. multiple birds with one stone.
  34. - forward.conf
  35. - acl.conf
  36. - IPv6 is actually working in this version when you have default policy set to DROP
  37. IPv6 is particularly difficult regarding ICMPv6 - had to put in quite a few
  38. allows by default to make it happy. Going to have to go through the list
  39. and prune it once the code stabilizes.
  40. - rule-save/rule-save6 scripts as beginning of work to be able to cache scripts
  41. may switch to normal iptables-save/iptables-restore if it works better
  42. once I've had time to work on it.
  43. - script finally has most features of firewall/sosdg v1.1, meaning it can
  44. successfully replace firewall/sosdg in most setups, provided you are
  45. willing to redo the config.
  46. - Added config examples here: http://www.sosdg.org/software/srfirewall/examples
  47. - Implemented -f flag for flushing rules and setting iptables back to default
  48. - Fix port forwarding rules so works correctly with FORWARD set to DROP as default
  49. 2.00 Alpha 2 - 04/12/2014
  50. - Slightly better documentation
  51. - Kernel module loading - 4/11/2014
  52. - The next two changes affect config files:
  53. - Add syn matching to acl.conf rules - this may break existing rules
  54. - Add syn and port/protocol matching to forward.conf rules - this will not
  55. break existing rules since it adds 4 new options at the end that can
  56. be omitted completely.
  57. - Fix some variable detection rules to be more reliable.
  58. - Fix some rule issues after real life stress testing.
  59. 2.00 Alpha 1 - 04/10/2014
  60. - Complete code rewrite and restructure to solve some long standing issues with v1
  61. - Separate out functions into support files for easier grouping of what they do
  62. - Make more compatible with multiple disto file layouts
  63. - Basic functionality implemented:
  64. - Trusted IP source (IPv4/IPv6) - 3/30/2014
  65. - MSS Clamping (IPv4/IPv6) - 3/30/2014
  66. - Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
  67. - Adapted to use conntracking if available - 4/5/2014
  68. - Easy Block functionality (IPv4/IPv6) - 3/31/2014
  69. - ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
  70. - NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014
  71. - IPv6 NAT/NETMAP is untested, have no internal use for it,
  72. let me know if works/doesnt
  73. - Forwarding functionality (IPv4/IPv6) - 4/5/2014
  74. - Adapted to use conntracking if available - 4/6/2014
  75. - Deps on Enablev(4|6)ConnectionTracking for NAT functionality - 4/5/2014
  76. - Service functionality (IPv4/IPv6) 4/6/2014
  77. - Port forwarding functionality (IPv4/IPv6) 4/6/2014
  78. - Default policy support (IPv4/IPv6) 4/9/2014
  79. - Add somewhat crude Debian package files, will need to be worked on... - 4/8/2014
  80. =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
  81. 1.1 - Brielle Bruns <bruns@2mbit.com>
  82. - Reorder rules, place allow before block to allow overrides
  83. - Fixes for conntrack rules for better security (added -o/-i)
  84. - Correct some incorrect info in options.default
  85. 1.0 - Brielle Bruns <bruns@2mbit.com>
  86. - Minor tweaks to various config files
  87. - Fix issue with tweaks loading
  88. - Version 1.0
  89. 0.9.14 - Brielle Bruns <bruns@2mbit.com>
  90. - IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER)
  91. - Move FORWARD Established,Related rules to inside NAT rules, since without NAT,
  92. we're not really going to need to track connections forwarding through the system.
  93. I can probably be proven wrong if you don't use NAT but use the script for stateful
  94. firewalling with non-RFC1918 IPs....
  95. - Cleanup work on code for v1.0
  96. 0.9.13 - Brielle Bruns <bruns@2mbit.com>
  97. - Fix location of ipv6 fi statement, moved to end of ipv6 rules
  98. - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
  99. to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
  100. - Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
  101. - IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
  102. 0.9.12 - Brielle Bruns <bruns@2mbit.com>
  103. - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
  104. block incoming to.
  105. - Add support for allowing IPV6 critical ICMP messages, on by default
  106. - Add support for interception of IPv4 packets, aka transparent proxy
  107. - Add beginning support for error checking of variable inputs, still not functional yet.
  108. - Test if we are using at least bash 3.x, since some of the more advanced features
  109. we are using to make this script work don't work too well with bash < 3.0 or dash.
  110. 0.9.11 - Brielle Bruns <bruns@2mbit.com>
  111. - Move some of the config clutter to conf/ - you can
  112. put your config files anywhere, but by default, they're
  113. now going to be in conf/
  114. - Beginning work on configuration tool. If it ever
  115. gets completed is a whole different story. :)
  116. - Option to use state or conntrack module for state tracking.
  117. By default, use conntrack.
  118. - After some research, we seem to not need NEW state match in FORWARD
  119. - Auto detect default gateway interface and IP of interface. Has potential problems
  120. if run before we've got a default interface, so manually define EXTIF to be sure, and
  121. things should be okay. This is mostly for people with dynamic IPs.
  122. 0.9.10 - Brielle Bruns <bruns@2mbit.com>
  123. - Move clamp mss up earlier in the rules to possibly
  124. fix an issue I noticed during testing
  125. - Move icmp allow code
  126. - Prevent duplicate icmp allow rules in NAT code
  127. - NETMAP support in NAT code
  128. 0.9.9a - Brielle Bruns <bruns@2mbit.com>
  129. - Minor bug fixes for my coding errors introduced in
  130. the change of IPv6 variables
  131. 0.9.9 - Brielle Bruns <bruns@2mbit.com>
  132. - Loadable module support during firewall loading
  133. - More init script fixes.
  134. - Non-conntracked DNS reply packets allow options
  135. - Slightly improved IPv6 support to start to bring
  136. it up to par with IPv4 support.
  137. - ipv6 marking support, changed ipv4 to use | instead of :
  138. - Renamed IPV6 variables, please read INSTALL file about conversion of config file
  139. to new format.
  140. 0.9.8a - Brielle Bruns <bruns@2mbit.com>
  141. - Fixing executable file permission issues
  142. - Use /bin/bash in initscript cause dash does not recognize
  143. more advanced methods that bash can use. Oops. Easiest
  144. way to keep up to date is to symlink /etc/init.d/firewall-sosdg
  145. to /etc/firewall-sosdg/doc/firewall-sosdg.init
  146. 0.9.8 - Brielle Bruns <bruns@2mbit.com>
  147. - Almost at v1.0 quality for my tastes
  148. - BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
  149. - Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7
  150. hammering DHCP server for unknown reason?
  151. - Cleanups
  152. - No longer display list of blocked IPs, considering if they are
  153. as long as my list is, they'll take 4 pages to display...
  154. - New block file format, much more capable now, thanks to
  155. an hour or two of improving my bash scripting skills to the
  156. point where I can do more complex breakdowns of formats
  157. - Rename blocked to ipv4-blocked since we're going to have
  158. ipv6 support
  159. - ipv6 blocking support. Different format for config file
  160. because IPv6 uses :, which means we get to use | for both
  161. ipv4 and ipv6 (goes against a previous commit)
  162. 0.9.7 - Brielle Bruns <bruns@2mbit.com>
  163. - Support for marking packets, uses new config file and
  164. IPv4_MARK file option
  165. - MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of
  166. arp requests on Linux
  167. - Allow use of multiport iptables module to reduce amount of rules
  168. 0.9.6 - Brielle Bruns <bruns@2mbit.com>
  169. - Minor changes to procedures in planning of 1.0
  170. 0.9.5 - Brielle Bruns <bruns@2mbit.com>
  171. - Makefile to automate building tarball and for future use
  172. - More changes to port-forwards file to support source IP and external IP (existing
  173. config _will_ be incompatible)
  174. 0.9.4 - Brielle Bruns <bruns@2mbit.com>
  175. - Initscript
  176. - stop-firewall for... stopping the firewall!
  177. - Code cleanups
  178. - Use of functions for some processes
  179. - Fix DHCP rule
  180. - Obsoleted NATRANGE, NATEXTIP, NATEXTIF
  181. - Added NAT_RANGE which can take SNAT/MASQ rules
  182. - Changed port forwarding rules to include external interface
  183. 0.9.3 - Brielle Bruns <bruns@2mbit.com>
  184. - Misc tweaks and reorg
  185. - Custom command files
  186. 0.9 - Brielle Bruns <bruns@2mbit.com>
  187. - Colorize output
  188. - Added outbound port blocking options
  189. 0.8 - Brielle Bruns <bruns@2mbit.com>
  190. - IPv6 Connection Tracking fixes
  191. - Strip ECN off of specific outbound packets
  192. 0.7 - Brielle Bruns <bruns@2mbit.com>
  193. - MSS Clamp on IPv6
  194. - MSS Fixes, yes, its ugly
  195. - Beginning support for bogons filtering and updater
  196. script. Does not work yet, so don't use.
  197. 0.6 - Brielle Bruns <bruns@2mbit.com>
  198. - Fixed some potential ordering issues with NAT
  199. - Added file for blocked IPs, plus new config option
  200. 0.5 - Brielle Bruns <bruns@2mbit.com>
  201. - Fixing ipv6 UDP firewalling rules
  202. - Fixing IPv6 client routing block rules
  203. - Added new IPV6LAN interface option
  204. 0.4 - Brielle Bruns <bruns@2mbit.com>
  205. - Added support for pre-run commands
  206. - Fixed several bugs with NAT commands