No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ChangeLog 6.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147
  1. 1.1 - Brielle Bruns <bruns@2mbit.com>
  2. - Reorder rules, place allow before block to allow overrides
  3. - Fixes for conntrack rules for better security (added -o/-i)
  4. - Correct some incorrect info in options.default
  5. 1.0 - Brielle Bruns <bruns@2mbit.com>
  6. - Minor tweaks to various config files
  7. - Fix issue with tweaks loading
  8. - Version 1.0
  9. 0.9.14 - Brielle Bruns <bruns@2mbit.com>
  10. - IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER)
  11. - Move FORWARD Established,Related rules to inside NAT rules, since without NAT,
  12. we're not really going to need to track connections forwarding through the system.
  13. I can probably be proven wrong if you don't use NAT but use the script for stateful
  14. firewalling with non-RFC1918 IPs....
  15. - Cleanup work on code for v1.0
  16. 0.9.13 - Brielle Bruns <bruns@2mbit.com>
  17. - Fix location of ipv6 fi statement, moved to end of ipv6 rules
  18. - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
  19. to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
  20. - Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
  21. - IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
  22. 0.9.12 - Brielle Bruns <bruns@2mbit.com>
  23. - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
  24. block incoming to.
  25. - Add support for allowing IPV6 critical ICMP messages, on by default
  26. - Add support for interception of IPv4 packets, aka transparent proxy
  27. - Add beginning support for error checking of variable inputs, still not functional yet.
  28. - Test if we are using at least bash 3.x, since some of the more advanced features
  29. we are using to make this script work don't work too well with bash < 3.0 or dash.
  30. 0.9.11 - Brielle Bruns <bruns@2mbit.com>
  31. - Move some of the config clutter to conf/ - you can
  32. put your config files anywhere, but by default, they're
  33. now going to be in conf/
  34. - Beginning work on configuration tool. If it ever
  35. gets completed is a whole different story. :)
  36. - Option to use state or conntrack module for state tracking.
  37. By default, use conntrack.
  38. - After some research, we seem to not need NEW state match in FORWARD
  39. - Auto detect default gateway interface and IP of interface. Has potential problems
  40. if run before we've got a default interface, so manually define EXTIF to be sure, and
  41. things should be okay. This is mostly for people with dynamic IPs.
  42. 0.9.10 - Brielle Bruns <bruns@2mbit.com>
  43. - Move clamp mss up earlier in the rules to possibly
  44. fix an issue I noticed during testing
  45. - Move icmp allow code
  46. - Prevent duplicate icmp allow rules in NAT code
  47. - NETMAP support in NAT code
  48. 0.9.9a - Brielle Bruns <bruns@2mbit.com>
  49. - Minor bug fixes for my coding errors introduced in
  50. the change of IPv6 variables
  51. 0.9.9 - Brielle Bruns <bruns@2mbit.com>
  52. - Loadable module support during firewall loading
  53. - More init script fixes.
  54. - Non-conntracked DNS reply packets allow options
  55. - Slightly improved IPv6 support to start to bring
  56. it up to par with IPv4 support.
  57. - ipv6 marking support, changed ipv4 to use | instead of :
  58. - Renamed IPV6 variables, please read INSTALL file about conversion of config file
  59. to new format.
  60. 0.9.8a - Brielle Bruns <bruns@2mbit.com>
  61. - Fixing executable file permission issues
  62. - Use /bin/bash in initscript cause dash does not recognize
  63. more advanced methods that bash can use. Oops. Easiest
  64. way to keep up to date is to symlink /etc/init.d/firewall-sosdg
  65. to /etc/firewall-sosdg/doc/firewall-sosdg.init
  66. 0.9.8 - Brielle Bruns <bruns@2mbit.com>
  67. - Almost at v1.0 quality for my tastes
  68. - BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
  69. - Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7
  70. hammering DHCP server for unknown reason?
  71. - Cleanups
  72. - No longer display list of blocked IPs, considering if they are
  73. as long as my list is, they'll take 4 pages to display...
  74. - New block file format, much more capable now, thanks to
  75. an hour or two of improving my bash scripting skills to the
  76. point where I can do more complex breakdowns of formats
  77. - Rename blocked to ipv4-blocked since we're going to have
  78. ipv6 support
  79. - ipv6 blocking support. Different format for config file
  80. because IPv6 uses :, which means we get to use | for both
  81. ipv4 and ipv6 (goes against a previous commit)
  82. 0.9.7 - Brielle Bruns <bruns@2mbit.com>
  83. - Support for marking packets, uses new config file and
  84. IPv4_MARK file option
  85. - MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of
  86. arp requests on Linux
  87. - Allow use of multiport iptables module to reduce amount of rules
  88. 0.9.6 - Brielle Bruns <bruns@2mbit.com>
  89. - Minor changes to procedures in planning of 1.0
  90. 0.9.5 - Brielle Bruns <bruns@2mbit.com>
  91. - Makefile to automate building tarball and for future use
  92. - More changes to port-forwards file to support source IP and external IP (existing
  93. config _will_ be incompatible)
  94. 0.9.4 - Brielle Bruns <bruns@2mbit.com>
  95. - Initscript
  96. - stop-firewall for... stopping the firewall!
  97. - Code cleanups
  98. - Use of functions for some processes
  99. - Fix DHCP rule
  100. - Obsoleted NATRANGE, NATEXTIP, NATEXTIF
  101. - Added NAT_RANGE which can take SNAT/MASQ rules
  102. - Changed port forwarding rules to include external interface
  103. 0.9.3 - Brielle Bruns <bruns@2mbit.com>
  104. - Misc tweaks and reorg
  105. - Custom command files
  106. 0.9 - Brielle Bruns <bruns@2mbit.com>
  107. - Colorize output
  108. - Added outbound port blocking options
  109. 0.8 - Brielle Bruns <bruns@2mbit.com>
  110. - IPv6 Connection Tracking fixes
  111. - Strip ECN off of specific outbound packets
  112. 0.7 - Brielle Bruns <bruns@2mbit.com>
  113. - MSS Clamp on IPv6
  114. - MSS Fixes, yes, its ugly
  115. - Beginning support for bogons filtering and updater
  116. script. Does not work yet, so don't use.
  117. 0.6 - Brielle Bruns <bruns@2mbit.com>
  118. - Fixed some potential ordering issues with NAT
  119. - Added file for blocked IPs, plus new config option
  120. 0.5 - Brielle Bruns <bruns@2mbit.com>
  121. - Fixing ipv6 UDP firewalling rules
  122. - Fixing IPv6 client routing block rules
  123. - Added new IPV6LAN interface option
  124. 0.4 - Brielle Bruns <bruns@2mbit.com>
  125. - Added support for pre-run commands
  126. - Fixed several bugs with NAT commands