2.1p2 - 02/27/2020 - Fix issue with NAT variable not being reset after being changed 2.1p1 - 01/01/2020 - Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details 2.1 Final - 07/12/2019 - Fix flush tables rule for raw - Final 2.1 release since we've had 2.1 for 5 years now without being 'released' 2.1 Beta 1 - 11/19/2018 - Add run-after and run-before rules (custom/runafter.sh and custom/runbefore.sh) 2.1 Alpha 3 - 04/25/2016 - Fix issue with erasing variables in two different setups - mss clamp fix for fwd target 2.1 Alpha 2 - 03/15/2015 - Unset variables in loops to make sure theres no leakage of variables into the next run of the loop 04/09/2015 - Allow use of 'all' in MSS rules to match all forwarding/out traffic 2.1 Alpha 1 - 11/29/2014 - Added support for custom fields in NAT and ACL rules, as this allows definition of Policy rules in the ACL files (mostly useful for IPSec) - NAT rules no longer add accept state rules, should be added in forward.conf manually 2.01 Alpha 1 - 07/27/2014 - Fix executable bits on .sh files in custom - Make MSS clamp optional and allow setting MSS size manually 2.00 Release - Add common options for sysctl/proc tweaking of network settings - Yay stable release! 2.00 Alpha 3 - - Give people knobs to tinker with regarding state matching. Kills multiple birds with one stone. - forward.conf - acl.conf - IPv6 is actually working in this version when you have default policy set to DROP IPv6 is particularly difficult regarding ICMPv6 - had to put in quite a few allows by default to make it happy. Going to have to go through the list and prune it once the code stabilizes. - rule-save/rule-save6 scripts as beginning of work to be able to cache scripts may switch to normal iptables-save/iptables-restore if it works better once I've had time to work on it. - script finally has most features of firewall/sosdg v1.1, meaning it can successfully replace firewall/sosdg in most setups, provided you are willing to redo the config. - Added config examples here: http://www.sosdg.org/software/srfirewall/examples - Implemented -f flag for flushing rules and setting iptables back to default - Fix port forwarding rules so works correctly with FORWARD set to DROP as default 2.00 Alpha 2 - 04/12/2014 - Slightly better documentation - Kernel module loading - 4/11/2014 - The next two changes affect config files: - Add syn matching to acl.conf rules - this may break existing rules - Add syn and port/protocol matching to forward.conf rules - this will not break existing rules since it adds 4 new options at the end that can be omitted completely. - Fix some variable detection rules to be more reliable. - Fix some rule issues after real life stress testing. 2.00 Alpha 1 - 04/10/2014 - Complete code rewrite and restructure to solve some long standing issues with v1 - Separate out functions into support files for easier grouping of what they do - Make more compatible with multiple disto file layouts - Basic functionality implemented: - Trusted IP source (IPv4/IPv6) - 3/30/2014 - MSS Clamping (IPv4/IPv6) - 3/30/2014 - Trusted DNS server as client (IPv4/IPv6) - 3/30/2014 - Adapted to use conntracking if available - 4/5/2014 - Easy Block functionality (IPv4/IPv6) - 3/31/2014 - ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014 - NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014 - IPv6 NAT/NETMAP is untested, have no internal use for it, let me know if works/doesnt - Forwarding functionality (IPv4/IPv6) - 4/5/2014 - Adapted to use conntracking if available - 4/6/2014 - Deps on Enablev(4|6)ConnectionTracking for NAT functionality - 4/5/2014 - Service functionality (IPv4/IPv6) 4/6/2014 - Port forwarding functionality (IPv4/IPv6) 4/6/2014 - Default policy support (IPv4/IPv6) 4/9/2014 - Add somewhat crude Debian package files, will need to be worked on... - 4/8/2014 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-= 1.1 - Brielle Bruns - Reorder rules, place allow before block to allow overrides - Fixes for conntrack rules for better security (added -o/-i) - Correct some incorrect info in options.default 1.0 - Brielle Bruns - Minor tweaks to various config files - Fix issue with tweaks loading - Version 1.0 0.9.14 - Brielle Bruns - IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER) - Move FORWARD Established,Related rules to inside NAT rules, since without NAT, we're not really going to need to track connections forwarding through the system. I can probably be proven wrong if you don't use NAT but use the script for stateful firewalling with non-RFC1918 IPs.... - Cleanup work on code for v1.0 0.9.13 - Brielle Bruns - Fix location of ipv6 fi statement, moved to end of ipv6 rules - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options to control them. Note the difference between BLOCKINCOMING and the PINPUT variable - Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed. - IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS 0.9.12 - Brielle Bruns - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to block incoming to. - Add support for allowing IPV6 critical ICMP messages, on by default - Add support for interception of IPv4 packets, aka transparent proxy - Add beginning support for error checking of variable inputs, still not functional yet. - Test if we are using at least bash 3.x, since some of the more advanced features we are using to make this script work don't work too well with bash < 3.0 or dash. 0.9.11 - Brielle Bruns - Move some of the config clutter to conf/ - you can put your config files anywhere, but by default, they're now going to be in conf/ - Beginning work on configuration tool. If it ever gets completed is a whole different story. :) - Option to use state or conntrack module for state tracking. By default, use conntrack. - After some research, we seem to not need NEW state match in FORWARD - Auto detect default gateway interface and IP of interface. Has potential problems if run before we've got a default interface, so manually define EXTIF to be sure, and things should be okay. This is mostly for people with dynamic IPs. 0.9.10 - Brielle Bruns - Move clamp mss up earlier in the rules to possibly fix an issue I noticed during testing - Move icmp allow code - Prevent duplicate icmp allow rules in NAT code - NETMAP support in NAT code 0.9.9a - Brielle Bruns - Minor bug fixes for my coding errors introduced in the change of IPv6 variables 0.9.9 - Brielle Bruns - Loadable module support during firewall loading - More init script fixes. - Non-conntracked DNS reply packets allow options - Slightly improved IPv6 support to start to bring it up to par with IPv4 support. - ipv6 marking support, changed ipv4 to use | instead of : - Renamed IPV6 variables, please read INSTALL file about conversion of config file to new format. 0.9.8a - Brielle Bruns - Fixing executable file permission issues - Use /bin/bash in initscript cause dash does not recognize more advanced methods that bash can use. Oops. Easiest way to keep up to date is to symlink /etc/init.d/firewall-sosdg to /etc/firewall-sosdg/doc/firewall-sosdg.init 0.9.8 - Brielle Bruns - Almost at v1.0 quality for my tastes - BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage - Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7 hammering DHCP server for unknown reason? - Cleanups - No longer display list of blocked IPs, considering if they are as long as my list is, they'll take 4 pages to display... - New block file format, much more capable now, thanks to an hour or two of improving my bash scripting skills to the point where I can do more complex breakdowns of formats - Rename blocked to ipv4-blocked since we're going to have ipv6 support - ipv6 blocking support. Different format for config file because IPv6 uses :, which means we get to use | for both ipv4 and ipv6 (goes against a previous commit) 0.9.7 - Brielle Bruns - Support for marking packets, uses new config file and IPv4_MARK file option - MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of arp requests on Linux - Allow use of multiport iptables module to reduce amount of rules 0.9.6 - Brielle Bruns - Minor changes to procedures in planning of 1.0 0.9.5 - Brielle Bruns - Makefile to automate building tarball and for future use - More changes to port-forwards file to support source IP and external IP (existing config _will_ be incompatible) 0.9.4 - Brielle Bruns - Initscript - stop-firewall for... stopping the firewall! - Code cleanups - Use of functions for some processes - Fix DHCP rule - Obsoleted NATRANGE, NATEXTIP, NATEXTIF - Added NAT_RANGE which can take SNAT/MASQ rules - Changed port forwarding rules to include external interface 0.9.3 - Brielle Bruns - Misc tweaks and reorg - Custom command files 0.9 - Brielle Bruns - Colorize output - Added outbound port blocking options 0.8 - Brielle Bruns - IPv6 Connection Tracking fixes - Strip ECN off of specific outbound packets 0.7 - Brielle Bruns - MSS Clamp on IPv6 - MSS Fixes, yes, its ugly - Beginning support for bogons filtering and updater script. Does not work yet, so don't use. 0.6 - Brielle Bruns - Fixed some potential ordering issues with NAT - Added file for blocked IPs, plus new config option 0.5 - Brielle Bruns - Fixing ipv6 UDP firewalling rules - Fixing IPv6 client routing block rules - Added new IPV6LAN interface option 0.4 - Brielle Bruns - Added support for pre-run commands - Fixed several bugs with NAT commands