You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

168 lines
7.1 KiB

  1. 2.00 Alpha 1
  2. - Complete code rewrite and restructure to solve some long standing issues with v1
  3. - Separate out functions into support files for easier grouping of what they do
  4. - Make more compatible with multiple disto file layouts
  5. - Basic functionality implemented:
  6. - Trusted IP source (IPv4/IPv6) - 3/30/2014
  7. - MSS Clamping (IPv4/IPv6) - 3/30/2014
  8. - Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
  9. - Adapted to use conntracking if available - 4/5/2014
  10. - Easy Block functionality (IPv4/IPv6) - 3/31/2014
  11. - ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
  12. - NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014
  13. - IPv6 NAT/NETMAP is untested, have no internal use for it, let me know if works/doesnt
  14. - Forwarding functionality (IPv4/IPv6) - 4/5/2014
  15. - Adapted to use conntracking if available - 4/6/2014
  16. - Deps on Enablev(4|6)ConnectionTracking for NAT functionality - 4/5/2014
  17. - Service functionality (IPv4/IPv6) 4/6/2014
  18. - Port forwarding functionality (IPv4/IPv6) 4/6/2014
  19. =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
  20. 1.1 - Brielle Bruns <bruns@2mbit.com>
  21. - Reorder rules, place allow before block to allow overrides
  22. - Fixes for conntrack rules for better security (added -o/-i)
  23. - Correct some incorrect info in options.default
  24. 1.0 - Brielle Bruns <bruns@2mbit.com>
  25. - Minor tweaks to various config files
  26. - Fix issue with tweaks loading
  27. - Version 1.0
  28. 0.9.14 - Brielle Bruns <bruns@2mbit.com>
  29. - IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER)
  30. - Move FORWARD Established,Related rules to inside NAT rules, since without NAT,
  31. we're not really going to need to track connections forwarding through the system.
  32. I can probably be proven wrong if you don't use NAT but use the script for stateful
  33. firewalling with non-RFC1918 IPs....
  34. - Cleanup work on code for v1.0
  35. 0.9.13 - Brielle Bruns <bruns@2mbit.com>
  36. - Fix location of ipv6 fi statement, moved to end of ipv6 rules
  37. - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
  38. to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
  39. - Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
  40. - IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
  41. 0.9.12 - Brielle Bruns <bruns@2mbit.com>
  42. - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
  43. block incoming to.
  44. - Add support for allowing IPV6 critical ICMP messages, on by default
  45. - Add support for interception of IPv4 packets, aka transparent proxy
  46. - Add beginning support for error checking of variable inputs, still not functional yet.
  47. - Test if we are using at least bash 3.x, since some of the more advanced features
  48. we are using to make this script work don't work too well with bash < 3.0 or dash.
  49. 0.9.11 - Brielle Bruns <bruns@2mbit.com>
  50. - Move some of the config clutter to conf/ - you can
  51. put your config files anywhere, but by default, they're
  52. now going to be in conf/
  53. - Beginning work on configuration tool. If it ever
  54. gets completed is a whole different story. :)
  55. - Option to use state or conntrack module for state tracking.
  56. By default, use conntrack.
  57. - After some research, we seem to not need NEW state match in FORWARD
  58. - Auto detect default gateway interface and IP of interface. Has potential problems
  59. if run before we've got a default interface, so manually define EXTIF to be sure, and
  60. things should be okay. This is mostly for people with dynamic IPs.
  61. 0.9.10 - Brielle Bruns <bruns@2mbit.com>
  62. - Move clamp mss up earlier in the rules to possibly
  63. fix an issue I noticed during testing
  64. - Move icmp allow code
  65. - Prevent duplicate icmp allow rules in NAT code
  66. - NETMAP support in NAT code
  67. 0.9.9a - Brielle Bruns <bruns@2mbit.com>
  68. - Minor bug fixes for my coding errors introduced in
  69. the change of IPv6 variables
  70. 0.9.9 - Brielle Bruns <bruns@2mbit.com>
  71. - Loadable module support during firewall loading
  72. - More init script fixes.
  73. - Non-conntracked DNS reply packets allow options
  74. - Slightly improved IPv6 support to start to bring
  75. it up to par with IPv4 support.
  76. - ipv6 marking support, changed ipv4 to use | instead of :
  77. - Renamed IPV6 variables, please read INSTALL file about conversion of config file
  78. to new format.
  79. 0.9.8a - Brielle Bruns <bruns@2mbit.com>
  80. - Fixing executable file permission issues
  81. - Use /bin/bash in initscript cause dash does not recognize
  82. more advanced methods that bash can use. Oops. Easiest
  83. way to keep up to date is to symlink /etc/init.d/firewall-sosdg
  84. to /etc/firewall-sosdg/doc/firewall-sosdg.init
  85. 0.9.8 - Brielle Bruns <bruns@2mbit.com>
  86. - Almost at v1.0 quality for my tastes
  87. - BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
  88. - Changes to LANDHCPSERVER so it accepts interface names, plus a possible fix for win7
  89. hammering DHCP server for unknown reason?
  90. - Cleanups
  91. - No longer display list of blocked IPs, considering if they are
  92. as long as my list is, they'll take 4 pages to display...
  93. - New block file format, much more capable now, thanks to
  94. an hour or two of improving my bash scripting skills to the
  95. point where I can do more complex breakdowns of formats
  96. - Rename blocked to ipv4-blocked since we're going to have
  97. ipv6 support
  98. - ipv6 blocking support. Different format for config file
  99. because IPv6 uses :, which means we get to use | for both
  100. ipv4 and ipv6 (goes against a previous commit)
  101. 0.9.7 - Brielle Bruns <bruns@2mbit.com>
  102. - Support for marking packets, uses new config file and
  103. IPv4_MARK file option
  104. - MULTI-NIC-ARP-LOCK hack added, to fix what I consider to be an annoying 'feature' of
  105. arp requests on Linux
  106. - Allow use of multiport iptables module to reduce amount of rules
  107. 0.9.6 - Brielle Bruns <bruns@2mbit.com>
  108. - Minor changes to procedures in planning of 1.0
  109. 0.9.5 - Brielle Bruns <bruns@2mbit.com>
  110. - Makefile to automate building tarball and for future use
  111. - More changes to port-forwards file to support source IP and external IP (existing
  112. config _will_ be incompatible)
  113. 0.9.4 - Brielle Bruns <bruns@2mbit.com>
  114. - Initscript
  115. - stop-firewall for... stopping the firewall!
  116. - Code cleanups
  117. - Use of functions for some processes
  118. - Fix DHCP rule
  119. - Obsoleted NATRANGE, NATEXTIP, NATEXTIF
  120. - Added NAT_RANGE which can take SNAT/MASQ rules
  121. - Changed port forwarding rules to include external interface
  122. 0.9.3 - Brielle Bruns <bruns@2mbit.com>
  123. - Misc tweaks and reorg
  124. - Custom command files
  125. 0.9 - Brielle Bruns <bruns@2mbit.com>
  126. - Colorize output
  127. - Added outbound port blocking options
  128. 0.8 - Brielle Bruns <bruns@2mbit.com>
  129. - IPv6 Connection Tracking fixes
  130. - Strip ECN off of specific outbound packets
  131. 0.7 - Brielle Bruns <bruns@2mbit.com>
  132. - MSS Clamp on IPv6
  133. - MSS Fixes, yes, its ugly
  134. - Beginning support for bogons filtering and updater
  135. script. Does not work yet, so don't use.
  136. 0.6 - Brielle Bruns <bruns@2mbit.com>
  137. - Fixed some potential ordering issues with NAT
  138. - Added file for blocked IPs, plus new config option
  139. 0.5 - Brielle Bruns <bruns@2mbit.com>
  140. - Fixing ipv6 UDP firewalling rules
  141. - Fixing IPv6 client routing block rules
  142. - Added new IPV6LAN interface option
  143. 0.4 - Brielle Bruns <bruns@2mbit.com>
  144. - Added support for pre-run commands
  145. - Fixed several bugs with NAT commands