brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Gotta love it when you have dos/win line endings unintentionally

master
bbruns@gmail.com 2014-03-29 16:57:08 +00:00
parent b0ba377ca4
commit 3cd26878b3
3 changed files with 159 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

310
ChangeLog
View File

@ -1,155 +1,155 @@
2.00 Alpha 1 2.00 Alpha 1
- Complete code rewrite and restructure to solve some long standing issues with v1 - Complete code rewrite and restructure to solve some long standing issues with v1
- Separate out functions into support files for easier grouping of what they do - Separate out functions into support files for easier grouping of what they do
- Make more compatible with debian filesystem layout, including separating out into - Make more compatible with debian filesystem layout, including separating out into
/etc/firewall-sosdg for configs only, /usr/sbin for actual scripts, and /etc/firewall-sosdg for configs only, /usr/sbin for actual scripts, and
/usr/lib/firewall-sosdg for include/functions/etc that don't belong in config /usr/lib/firewall-sosdg for include/functions/etc that don't belong in config
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-= =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
1.1 - Brielle Bruns <bruns@2mbit.com> 1.1 - Brielle Bruns <bruns@2mbit.com>
- Reorder rules, place allow before block to allow overrides - Reorder rules, place allow before block to allow overrides
- Fixes for conntrack rules for better security (added -o/-i) - Fixes for conntrack rules for better security (added -o/-i)
- Correct some incorrect info in options.default - Correct some incorrect info in options.default
1.0 - Brielle Bruns <bruns@2mbit.com> 1.0 - Brielle Bruns <bruns@2mbit.com>
- Minor tweaks to various config files - Minor tweaks to various config files
- Fix issue with tweaks loading - Fix issue with tweaks loading
- Version 1.0 - Version 1.0
0.9.14 - Brielle Bruns <bruns@2mbit.com> 0.9.14 - Brielle Bruns <bruns@2mbit.com>
- IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER) - IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER)
- Move FORWARD Established,Related rules to inside NAT rules, since without NAT, - Move FORWARD Established,Related rules to inside NAT rules, since without NAT,
we're not really going to need to track connections forwarding through the system. we're not really going to need to track connections forwarding through the system.
I can probably be proven wrong if you don't use NAT but use the script for stateful I can probably be proven wrong if you don't use NAT but use the script for stateful
firewalling with non-RFC1918 IPs.... firewalling with non-RFC1918 IPs....
- Cleanup work on code for v1.0 - Cleanup work on code for v1.0
0.9.13 - Brielle Bruns <bruns@2mbit.com> 0.9.13 - Brielle Bruns <bruns@2mbit.com>
- Fix location of ipv6 fi statement, moved to end of ipv6 rules - Fix location of ipv6 fi statement, moved to end of ipv6 rules
- Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
to control them. Note the difference between BLOCKINCOMING and the PINPUT variable to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
- Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed. - Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
- IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS - IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
0.9.12 - Brielle Bruns <bruns@2mbit.com> 0.9.12 - Brielle Bruns <bruns@2mbit.com>
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
block incoming to. block incoming to.
- Add support for allowing IPV6 critical ICMP messages, on by default - Add support for allowing IPV6 critical ICMP messages, on by default
- Add support for interception of IPv4 packets, aka transparent proxy - Add support for interception of IPv4 packets, aka transparent proxy
- Add beginning support for error checking of variable inputs, still not functional yet. - Add beginning support for error checking of variable inputs, still not functional yet.
- Test if we are using at least bash 3.x, since some of the more advanced features - Test if we are using at least bash 3.x, since some of the more advanced features
we are using to make this script work don't work too well with bash < 3.0 or dash. we are using to make this script work don't work too well with bash < 3.0 or dash.
0.9.11 - Brielle Bruns <bruns@2mbit.com> 0.9.11 - Brielle Bruns <bruns@2mbit.com>
- Move some of the config clutter to conf/ - you can - Move some of the config clutter to conf/ - you can
put your config files anywhere, but by default, they're put your config files anywhere, but by default, they're
now going to be in conf/ now going to be in conf/
- Beginning work on configuration tool. If it ever - Beginning work on configuration tool. If it ever
gets completed is a whole different story. :) gets completed is a whole different story. :)
- Option to use state or conntrack module for state tracking. - Option to use state or conntrack module for state tracking.
By default, use conntrack. By default, use conntrack.
- After some research, we seem to not need NEW state match in FORWARD - After some research, we seem to not need NEW state match in FORWARD
- Auto detect default gateway interface and IP of interface. Has potential problems - Auto detect default gateway interface and IP of interface. Has potential problems
if run before we've got a default interface, so manually define EXTIF to be sure, and if run before we've got a default interface, so manually define EXTIF to be sure, and
things should be okay. This is mostly for people with dynamic IPs. things should be okay. This is mostly for people with dynamic IPs.
0.9.10 - Brielle Bruns <bruns@2mbit.com> 0.9.10 - Brielle Bruns <bruns@2mbit.com>
- Move clamp mss up earlier in the rules to possibly - Move clamp mss up earlier in the rules to possibly
fix an issue I noticed during testing fix an issue I noticed during testing
- Move icmp allow code - Move icmp allow code
- Prevent duplicate icmp allow rules in NAT code - Prevent duplicate icmp allow rules in NAT code
- NETMAP support in NAT code - NETMAP support in NAT code
0.9.9a - Brielle Bruns <bruns@2mbit.com> 0.9.9a - Brielle Bruns <bruns@2mbit.com>
- Minor bug fixes for my coding errors introduced in - Minor bug fixes for my coding errors introduced in
the change of IPv6 variables the change of IPv6 variables
0.9.9 - Brielle Bruns <bruns@2mbit.com> 0.9.9 - Brielle Bruns <bruns@2mbit.com>
- Loadable module support during firewall loading - Loadable module support during firewall loading
- More init script fixes. - More init script fixes.
- Non-conntracked DNS reply packets allow options - Non-conntracked DNS reply packets allow options
- Slightly improved IPv6 support to start to bring - Slightly improved IPv6 support to start to bring
it up to par with IPv4 support. it up to par with IPv4 support.
- ipv6 marking support, changed ipv4 to use | instead of : - ipv6 marking support, changed ipv4 to use | instead of :
- Renamed IPV6 variables, please read INSTALL file about conversion of config file - Renamed IPV6 variables, please read INSTALL file about conversion of config file
to new format. to new format.
0.9.8a - Brielle Bruns <bruns@2mbit.com> 0.9.8a - Brielle Bruns <bruns@2mbit.com>
- Fixing executable file permission issues - Fixing executable file permission issues
- Use /bin/bash in initscript cause dash does not recognize - Use /bin/bash in initscript cause dash does not recognize
more advanced methods that bash can use. Oops. Easiest more advanced methods that bash can use. Oops. Easiest
way to keep up to date is to symlink /etc/init.d/firewall-sosdg way to keep up to date is to symlink /etc/init.d/firewall-sosdg
to /etc/firewall-sosdg/doc/firewall-sosdg.init to /etc/firewall-sosdg/doc/firewall-sosdg.init
0.9.8 - Brielle Bruns <bruns@2mbit.com> 0.9.8 - Brielle Bruns <bruns@2mbit.com>
- Almost at v1.0 quality for my tastes - Almost at v1.0 quality for my tastes
- BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage - BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
- Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7 - Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7
hammering DHCP server for unknown reason? hammering DHCP server for unknown reason?
- Cleanups - Cleanups
- No longer display list of blocked IPs, considering if they are - No longer display list of blocked IPs, considering if they are
as long as my list is, they'll take 4 pages to display... as long as my list is, they'll take 4 pages to display...
- New block file format, much more capable now, thanks to - New block file format, much more capable now, thanks to
an hour or two of improving my bash scripting skills to the an hour or two of improving my bash scripting skills to the
point where I can do more complex breakdowns of formats point where I can do more complex breakdowns of formats
- Rename blocked to ipv4-blocked since we're going to have - Rename blocked to ipv4-blocked since we're going to have
ipv6 support ipv6 support
- ipv6 blocking support. Different format for config file - ipv6 blocking support. Different format for config file
because IPv6 uses :, which means we get to use | for both because IPv6 uses :, which means we get to use | for both
ipv4 and ipv6 (goes against a previous commit) ipv4 and ipv6 (goes against a previous commit)
0.9.7 - Brielle Bruns <bruns@2mbit.com> 0.9.7 - Brielle Bruns <bruns@2mbit.com>
- Support for marking packets, uses new config file and - Support for marking packets, uses new config file and
IPv4_MARK file option IPv4_MARK file option
- MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of - MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of
arp requests on Linux arp requests on Linux
- Allow use of multiport iptables module to reduce amount of rules - Allow use of multiport iptables module to reduce amount of rules
0.9.6 - Brielle Bruns <bruns@2mbit.com> 0.9.6 - Brielle Bruns <bruns@2mbit.com>
- Minor changes to procedures in planning of 1.0 - Minor changes to procedures in planning of 1.0
0.9.5 - Brielle Bruns <bruns@2mbit.com> 0.9.5 - Brielle Bruns <bruns@2mbit.com>
- Makefile to automate building tarball and for future use - Makefile to automate building tarball and for future use
- More changes to port-forwards file to support source IP and external IP (existing - More changes to port-forwards file to support source IP and external IP (existing
config _will_ be incompatible) config _will_ be incompatible)
0.9.4 - Brielle Bruns <bruns@2mbit.com> 0.9.4 - Brielle Bruns <bruns@2mbit.com>
- Initscript - Initscript
- stop-firewall for... stopping the firewall! - stop-firewall for... stopping the firewall!
- Code cleanups - Code cleanups
- Use of functions for some processes - Use of functions for some processes
- Fix DHCP rule - Fix DHCP rule
- Obsoleted NATRANGE, NATEXTIP, NATEXTIF - Obsoleted NATRANGE, NATEXTIP, NATEXTIF
- Added NAT_RANGE which can take SNAT/MASQ rules - Added NAT_RANGE which can take SNAT/MASQ rules
- Changed port forwarding rules to include external interface - Changed port forwarding rules to include external interface
0.9.3 - Brielle Bruns <bruns@2mbit.com> 0.9.3 - Brielle Bruns <bruns@2mbit.com>
- Misc tweaks and reorg - Misc tweaks and reorg
- Custom command files - Custom command files
0.9 - Brielle Bruns <bruns@2mbit.com> 0.9 - Brielle Bruns <bruns@2mbit.com>
- Colorize output - Colorize output
- Added outbound port blocking options - Added outbound port blocking options
0.8 - Brielle Bruns <bruns@2mbit.com> 0.8 - Brielle Bruns <bruns@2mbit.com>
- IPv6 Connection Tracking fixes - IPv6 Connection Tracking fixes
- Strip ECN off of specific outbound packets - Strip ECN off of specific outbound packets
0.7 - Brielle Bruns <bruns@2mbit.com> 0.7 - Brielle Bruns <bruns@2mbit.com>
- MSS Clamp on IPv6 - MSS Clamp on IPv6
- MSS Fixes, yes, its ugly - MSS Fixes, yes, its ugly
- Beginning support for bogons filtering and updater - Beginning support for bogons filtering and updater
script. Does not work yet, so don't use. script. Does not work yet, so don't use.
0.6 - Brielle Bruns <bruns@2mbit.com> 0.6 - Brielle Bruns <bruns@2mbit.com>
- Fixed some potential ordering issues with NAT - Fixed some potential ordering issues with NAT
- Added file for blocked IPs, plus new config option - Added file for blocked IPs, plus new config option
0.5 - Brielle Bruns <bruns@2mbit.com> 0.5 - Brielle Bruns <bruns@2mbit.com>
- Fixing ipv6 UDP firewalling rules - Fixing ipv6 UDP firewalling rules
- Fixing IPv6 client routing block rules - Fixing IPv6 client routing block rules
- Added new IPV6LAN interface option - Added new IPV6LAN interface option
0.4 - Brielle Bruns <bruns@2mbit.com> 0.4 - Brielle Bruns <bruns@2mbit.com>
- Added support for pre-run commands - Added support for pre-run commands
- Fixed several bugs with NAT commands - Fixed several bugs with NAT commands

3
etc/ipv4.conf
View File

@ -1 +1,2 @@
# IPv4 Specific Configuration File # IPv4 Specific Configuration File
#

3
etc/ipv6.conf
View File

@ -1 +1,2 @@
# IPv4 Specific Configuration File # IPv4 Specific Configuration File
#