215 lines
9.3 KiB
Plaintext
215 lines
9.3 KiB
Plaintext
2.1 Alpha 1 - 11/29/2014
|
|
- Added support for custom fields in NAT and ACL rules, as this allows
|
|
definition of Policy rules in the ACL files (mostly useful for IPSec)
|
|
- NAT rules no longer add accept state rules, should be added in forward.conf
|
|
manually
|
|
|
|
2.01 Alpha 1 - 07/27/2014
|
|
- Fix executable bits on .sh files in custom
|
|
- Make MSS clamp optional and allow setting MSS size manually
|
|
|
|
2.00 Release
|
|
- Add common options for sysctl/proc tweaking of network settings
|
|
- Yay stable release!
|
|
|
|
2.00 Alpha 3 -
|
|
- Give people knobs to tinker with regarding state matching. Kills
|
|
multiple birds with one stone.
|
|
- forward.conf
|
|
- acl.conf
|
|
- IPv6 is actually working in this version when you have default policy set to DROP
|
|
IPv6 is particularly difficult regarding ICMPv6 - had to put in quite a few
|
|
allows by default to make it happy. Going to have to go through the list
|
|
and prune it once the code stabilizes.
|
|
- rule-save/rule-save6 scripts as beginning of work to be able to cache scripts
|
|
may switch to normal iptables-save/iptables-restore if it works better
|
|
once I've had time to work on it.
|
|
- script finally has most features of firewall/sosdg v1.1, meaning it can
|
|
successfully replace firewall/sosdg in most setups, provided you are
|
|
willing to redo the config.
|
|
- Added config examples here: http://www.sosdg.org/software/srfirewall/examples
|
|
- Implemented -f flag for flushing rules and setting iptables back to default
|
|
- Fix port forwarding rules so works correctly with FORWARD set to DROP as default
|
|
|
|
2.00 Alpha 2 - 04/12/2014
|
|
- Slightly better documentation
|
|
- Kernel module loading - 4/11/2014
|
|
- The next two changes affect config files:
|
|
- Add syn matching to acl.conf rules - this may break existing rules
|
|
- Add syn and port/protocol matching to forward.conf rules - this will not
|
|
break existing rules since it adds 4 new options at the end that can
|
|
be omitted completely.
|
|
- Fix some variable detection rules to be more reliable.
|
|
- Fix some rule issues after real life stress testing.
|
|
|
|
2.00 Alpha 1 - 04/10/2014
|
|
- Complete code rewrite and restructure to solve some long standing issues with v1
|
|
- Separate out functions into support files for easier grouping of what they do
|
|
- Make more compatible with multiple disto file layouts
|
|
- Basic functionality implemented:
|
|
- Trusted IP source (IPv4/IPv6) - 3/30/2014
|
|
- MSS Clamping (IPv4/IPv6) - 3/30/2014
|
|
- Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
|
|
- Adapted to use conntracking if available - 4/5/2014
|
|
- Easy Block functionality (IPv4/IPv6) - 3/31/2014
|
|
- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
|
|
- NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014
|
|
- IPv6 NAT/NETMAP is untested, have no internal use for it,
|
|
let me know if works/doesnt
|
|
- Forwarding functionality (IPv4/IPv6) - 4/5/2014
|
|
- Adapted to use conntracking if available - 4/6/2014
|
|
- Deps on Enablev(4|6)ConnectionTracking for NAT functionality - 4/5/2014
|
|
- Service functionality (IPv4/IPv6) 4/6/2014
|
|
- Port forwarding functionality (IPv4/IPv6) 4/6/2014
|
|
- Default policy support (IPv4/IPv6) 4/9/2014
|
|
- Add somewhat crude Debian package files, will need to be worked on... - 4/8/2014
|
|
|
|
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
|
|
1.1 - Brielle Bruns <bruns@2mbit.com>
|
|
- Reorder rules, place allow before block to allow overrides
|
|
- Fixes for conntrack rules for better security (added -o/-i)
|
|
- Correct some incorrect info in options.default
|
|
|
|
1.0 - Brielle Bruns <bruns@2mbit.com>
|
|
- Minor tweaks to various config files
|
|
- Fix issue with tweaks loading
|
|
- Version 1.0
|
|
|
|
0.9.14 - Brielle Bruns <bruns@2mbit.com>
|
|
- IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER)
|
|
- Move FORWARD Established,Related rules to inside NAT rules, since without NAT,
|
|
we're not really going to need to track connections forwarding through the system.
|
|
I can probably be proven wrong if you don't use NAT but use the script for stateful
|
|
firewalling with non-RFC1918 IPs....
|
|
- Cleanup work on code for v1.0
|
|
|
|
0.9.13 - Brielle Bruns <bruns@2mbit.com>
|
|
- Fix location of ipv6 fi statement, moved to end of ipv6 rules
|
|
- Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
|
|
to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
|
|
- Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
|
|
- IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
|
|
|
|
0.9.12 - Brielle Bruns <bruns@2mbit.com>
|
|
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
|
|
block incoming to.
|
|
- Add support for allowing IPV6 critical ICMP messages, on by default
|
|
- Add support for interception of IPv4 packets, aka transparent proxy
|
|
- Add beginning support for error checking of variable inputs, still not functional yet.
|
|
- Test if we are using at least bash 3.x, since some of the more advanced features
|
|
we are using to make this script work don't work too well with bash < 3.0 or dash.
|
|
|
|
0.9.11 - Brielle Bruns <bruns@2mbit.com>
|
|
- Move some of the config clutter to conf/ - you can
|
|
put your config files anywhere, but by default, they're
|
|
now going to be in conf/
|
|
- Beginning work on configuration tool. If it ever
|
|
gets completed is a whole different story. :)
|
|
- Option to use state or conntrack module for state tracking.
|
|
By default, use conntrack.
|
|
- After some research, we seem to not need NEW state match in FORWARD
|
|
- Auto detect default gateway interface and IP of interface. Has potential problems
|
|
if run before we've got a default interface, so manually define EXTIF to be sure, and
|
|
things should be okay. This is mostly for people with dynamic IPs.
|
|
|
|
0.9.10 - Brielle Bruns <bruns@2mbit.com>
|
|
- Move clamp mss up earlier in the rules to possibly
|
|
fix an issue I noticed during testing
|
|
- Move icmp allow code
|
|
- Prevent duplicate icmp allow rules in NAT code
|
|
- NETMAP support in NAT code
|
|
|
|
0.9.9a - Brielle Bruns <bruns@2mbit.com>
|
|
- Minor bug fixes for my coding errors introduced in
|
|
the change of IPv6 variables
|
|
|
|
0.9.9 - Brielle Bruns <bruns@2mbit.com>
|
|
- Loadable module support during firewall loading
|
|
- More init script fixes.
|
|
- Non-conntracked DNS reply packets allow options
|
|
- Slightly improved IPv6 support to start to bring
|
|
it up to par with IPv4 support.
|
|
- ipv6 marking support, changed ipv4 to use | instead of :
|
|
- Renamed IPV6 variables, please read INSTALL file about conversion of config file
|
|
to new format.
|
|
|
|
0.9.8a - Brielle Bruns <bruns@2mbit.com>
|
|
- Fixing executable file permission issues
|
|
- Use /bin/bash in initscript cause dash does not recognize
|
|
more advanced methods that bash can use. Oops. Easiest
|
|
way to keep up to date is to symlink /etc/init.d/firewall-sosdg
|
|
to /etc/firewall-sosdg/doc/firewall-sosdg.init
|
|
|
|
0.9.8 - Brielle Bruns <bruns@2mbit.com>
|
|
- Almost at v1.0 quality for my tastes
|
|
- BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
|
|
- Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7
|
|
hammering DHCP server for unknown reason?
|
|
- Cleanups
|
|
- No longer display list of blocked IPs, considering if they are
|
|
as long as my list is, they'll take 4 pages to display...
|
|
- New block file format, much more capable now, thanks to
|
|
an hour or two of improving my bash scripting skills to the
|
|
point where I can do more complex breakdowns of formats
|
|
- Rename blocked to ipv4-blocked since we're going to have
|
|
ipv6 support
|
|
- ipv6 blocking support. Different format for config file
|
|
because IPv6 uses :, which means we get to use | for both
|
|
ipv4 and ipv6 (goes against a previous commit)
|
|
|
|
0.9.7 - Brielle Bruns <bruns@2mbit.com>
|
|
- Support for marking packets, uses new config file and
|
|
IPv4_MARK file option
|
|
- MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of
|
|
arp requests on Linux
|
|
- Allow use of multiport iptables module to reduce amount of rules
|
|
|
|
0.9.6 - Brielle Bruns <bruns@2mbit.com>
|
|
- Minor changes to procedures in planning of 1.0
|
|
|
|
0.9.5 - Brielle Bruns <bruns@2mbit.com>
|
|
- Makefile to automate building tarball and for future use
|
|
- More changes to port-forwards file to support source IP and external IP (existing
|
|
config _will_ be incompatible)
|
|
|
|
0.9.4 - Brielle Bruns <bruns@2mbit.com>
|
|
- Initscript
|
|
- stop-firewall for... stopping the firewall!
|
|
- Code cleanups
|
|
- Use of functions for some processes
|
|
- Fix DHCP rule
|
|
- Obsoleted NATRANGE, NATEXTIP, NATEXTIF
|
|
- Added NAT_RANGE which can take SNAT/MASQ rules
|
|
- Changed port forwarding rules to include external interface
|
|
|
|
0.9.3 - Brielle Bruns <bruns@2mbit.com>
|
|
- Misc tweaks and reorg
|
|
- Custom command files
|
|
|
|
0.9 - Brielle Bruns <bruns@2mbit.com>
|
|
- Colorize output
|
|
- Added outbound port blocking options
|
|
|
|
0.8 - Brielle Bruns <bruns@2mbit.com>
|
|
- IPv6 Connection Tracking fixes
|
|
- Strip ECN off of specific outbound packets
|
|
|
|
0.7 - Brielle Bruns <bruns@2mbit.com>
|
|
- MSS Clamp on IPv6
|
|
- MSS Fixes, yes, its ugly
|
|
- Beginning support for bogons filtering and updater
|
|
script. Does not work yet, so don't use.
|
|
|
|
0.6 - Brielle Bruns <bruns@2mbit.com>
|
|
- Fixed some potential ordering issues with NAT
|
|
- Added file for blocked IPs, plus new config option
|
|
|
|
0.5 - Brielle Bruns <bruns@2mbit.com>
|
|
- Fixing ipv6 UDP firewalling rules
|
|
- Fixing IPv6 client routing block rules
|
|
- Added new IPV6LAN interface option
|
|
|
|
0.4 - Brielle Bruns <bruns@2mbit.com>
|
|
- Added support for pre-run commands
|
|
- Fixed several bugs with NAT commands
|