← Back to branch summary

~ubuntu-branches/ubuntu/trusty/arno-iptables-firewall/trusty 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

Version 2.0.1d (November 16, 2012)
----------------------------------
+ Reintroduce DNS fast fail option + add additional option (DNS_FAST_FAIL_ONCE) to allow plugins to use it
+ Added nat-loopback plugin for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules.
+ Added new main command 'status-plugins [name]'.  Useful [name] values are: dyndns-host-open, multiroute, nat-loopback,
  rpc, traffic-accounting and traffic-shaper.  When [name] is specified, only that plugin is shown.
  For Example:
    $ arno-iptables-firewall status-plugins                       (shows all plugins status results)
    $ arno-iptables-firewall status-plugins dyndns-host-open      (shows only dyndns-host-open plugin status results)
+ Added outbound-snat plugin to support when a NAT'ed external interface has multiple IPv4 addresses, it may be
  desirable to specify which internal IP's or CIDR's use which external IPv4 addresses for outbound connections.
! Fixed modprobe() function when using kmod. Apparently kmod doesn't echo anything (to stderr) when a module is not found?!
! Fix logging dropped packets matching (ie, not just TCP) for LAN_INET_FORWARD_CHAIN and DMZ_INET_FORWARD_CHAIN.
+ Added new variables LAN_INET_DEFAULT_POLICY_DROP, DMZ_INET_DEFAULT_POLICY_DROP and LAN_DEFAULT_POLICY_DROP
  to define the default policies. When undefined the 'automatic' policy is the default as with all previous versions.
* Allow plugins to maintain a dynamic chain (e.g. MINIUPNPD) in the nat table and not get automatically flushed on a restart.
* Improved traffic-accounting & dyndns-host-open plugins with a new host cache mechanism

Version 2.0.1c (June 27, 2012)
------------------------------
! Fix a script 'IFS' issue if IPv6 and DMZ is enabled together with DMZ_HOST_OPEN_IP (thanks to Ingmar Schraub)
! Newer kernels (3.4+) replaced ipt_LOG & ip6t_LOG with xt_LOG (thanks to Adam Young)

Version 2.0.1b (March 16, 2012)
-------------------------------
! RESERVED_NET_DROP only worked when RESERVED_NET_LOG was enabled (regression) (thanks to gregoryach@gmail.com)
! Removed stray line in install.sh
* Updated/corrected documentation

Version 2.0.1a (March 7, 2012)
------------------------------
* Misc. tweaks for arno-fwfilter (thanks Mark van Dijk)
* Use ls instead of [ -n (find) ] as it's much faster (thanks Lonnie)
* As with previous versions, when LAN_INET_OPEN_xxx and LAN_INET_HOST_OPEN_xxx are NOT defined
  the default LAN->INET policy is ACCEPT. Changed is when *any* of these variables are defined
  the default LAN->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before.
* As with previous versions, when DMZ_INET_OPEN_xxx and DMZ_INET_HOST_OPEN_xxx are NOT defined
  the default DMZ->INET policy is ACCEPT. Changed is when *any* of these variables are defined
  the default DMZ->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before.
* Tweak the handling of some of the sysctl kernel settings. This now also
  allows disabling setting/resetting some settings (like forwarding)
* Default UDP connection timeout to 60 seconds
+ Added support for new LOCAL_CONFIG_DIR variable, defaults to "/etc/arno-iptables-firewall/conf.d" (Debian bug #658458)
! Set default policy to DROP if either LAN_INET_HOST_OPEN_xxx or DMZ_INET_HOST_OPEN_xxx are defined,
  to match the documentation. (thanks Schilling Thomas Ing for reporting)
* Improve documentation

Version 2.0.1 (December 18, 2011)
---------------------------------
- Removed DNS_FAST_FAIL & RESOLV_IPS since they are both obsolete
* Few changes in the install/uninstall scripts. eg. arno-fwfilter now installs to /usr/local/bin instead

Version 2.0.1-BETA1 (October 10, 2011)
--------------------------------------
! Fixed kernel_ver_chk() function to properly handle kernel 3. (thanks Gunawan Lim for reporting)
! Fixed variables containing REJECT_UDP with IPv6 enabled, it should use 'icmp6-addr-unreachable' for IPv6.
* Updated "DynDNS Host Open" and "DMZ-DNAT" plugins to use new parse_rule() function.
* AIF variables are now parsed with a common function, now missing fields are logged with a warning.
* Misc. tweaks

Version 2.0.0c (July 28, 2011)
-----------------------------------
* Call insserv during configure, when available. This is required for eg.
  Debian/Ubuntu systems that use dependency based booting
! Fixed MULTICAST jumping should be done at the end of the EXT_INPUT_CHAIN, not
  at the beginning else users won't be able create "normal" rules for it
* Updated several plugins
* Several tweaks

Version 2.0.0b (March 25, 2011)
-------------------------------
+ Perform kernel check when IPv6 support is enabled
- Don't auto detect external interface settings during configure. It's too
  confusing and fills out the wrong values for certain setups (like laptops that are moved around)
+ Show platform information on start/restart when verbose
! remove bash-ism related to traffic-shaper plugin (Reported by Debian upstream, Debian bug #619496)
! remove bash-ism in ipsec-vpn plugin (Reported by Debian upstream, Debian bug #617510)
! workaround Busybox 'ash' bug when IPV6_SUPPORT is enabled
+ Added pptp-vpn plugin for local PPTP server support
! arno-fwfilter uses incorrect URL for location lookup (Debian bug #613631, thanks to Tony Evans for the patch)
+ Drop all IPv6 packets with Routing Header Type 0, new variable IPV6_DROP_RH_ZERO (thanks Klemen Mihevc)
! Fixed handling HOST_OPEN_ICMP, HOST_DENY_ICMP_NOLOG and HOST_DENY_ICMP variables
  with IPv6 addresses. (thanks Klemen Mihevc)
* Tweaked NAT module loading + cosmetics. iptable_nat is a required module for
  AIF because of the plugin framework/helper chains so it's wrong to only load
  it when NAT is enabled in the main script.

Version 2.0.0a (December 30, 2010)
----------------------------------------
! Set IFS=' ' in our batch-functions else the wrappers fail in some cases
- Removed old legacy plugin support that used the PLUGIN_PATH variable
! Fixed an issue when the value of IPV6_SUPPORT was changed then followed with a 'restart'
* (Cosmetic) tweaks

Version 2.0.0 (November 15, 2010)
---------------------------------
! dig wrapper using nslookup, extract IPv4 addresses over IPv6 addresses
* ipsec-vpn plugin, removed unnecessary EXT_INPUT_CHAIN rule and added IPv6 support
  for matching AH headers

Version 1.9.9-RC1 (October 25, 2010)
------------------------------------
- Removed deprecated check_binary() function from environment
+ Added support for an optional plugin_restart() function in plugins using a new plugin template,
  while supporting previous plugins without a plugin_restart() function
* Refactor load_modules() using our new modprobe_multi() 
* Allow modprobe_multi() function arguments to be grouped by a comma
+ Use IDENT environment variable for plugins
+ Added SHAPER_IF variable to traffic-shaper plugin to specify a single external interface
  should the default EXT_IF value contain more than one interface
+ Added SIP_VOIP_REMOTE_HOSTS variable to sip-voip plugin to limit access by source address
- Removed obsolete module_probe() function. Use modprobe() instead
+ Added IPV6_AUTO_CONFIGURATION variable to control autoconf when IP_FORWARDING = 0
+ Added IPV6_OVER_IPV4_SERVER variable for ipv6-over-ipv4 plugin, restricting 6to4 source packets
* Misc. tweaks & fixes

Version 1.9.9-BETA1 (October 8, 2010)
-------------------------------------
* Refactor setting kernel parameters
! Revert change that didn't masquerade IPv6/proto 41, so outgoing forwarded connections work properly
+ Added EXTERNAL_DHCPV6_SERVER variable to allow DHCPv6 clients on the *external* interface
* The default INET->DMZ policy is now DROP.  Common variables this change may effect are:
  INET_DMZ_HOST_OPEN_xxx and INET_DMZ_OPEN_xxx
+ Added support for Link-Local-Multicast ICMPv6 echo-request packets
+ Added LINK_LOCAL_DROP_LOG variable which controls logging of dropped IPv6 Link-Local addresses.
+ Added FORWARD_LINK_LOCAL variable which, by default (0), disables forwarding of IPv6 Link-Local addresses.
+ Added EXT_MULTICAST_CHAIN to handle external-inbound multicast traffic
+ Added DHCPv6 support for the EXT_IF_DHCP_IP variable.
+ Added a new variable FORWARD_DROP_LOG to disable logging dropped forwards when set to 0, defaults to 1.
! Fixed handling of destination host~port fields where only the host was specified.
+ Added a new set of variables INET_FORWARD_xxx to allow forwarding INET IPv6 and non-NAT'ed IPv4 packets
  to other interfaces.  The format is similar to the IPv4 NAT_FORWARD_xxx without port mapping.
+ Added a new variable OPEN_ICMPV6 to allow independent control of INET ICMP for IPv4 and IPv6, enabled by default.
! Fixed handling of INET_DMZ_HOST_OPEN_xxx variables
! Fixed handling of INET_DMZ_HOST_DENY_xxx variables
! Fixed handling of INET_DMZ_DENY_TCP
! Fixed variable typo, INET_DMZ_HOST_DENY_TCP was not handled
+ Added IPv6 reserved network support, label logs by IPv4 and IPv6
! Fixed RESERVED_NET_LOG is now independant from DROP_PRIVATE_ADDRESSES
+ Added option to the configure script to enable/disable IPv6 + several tweaks
* Sanity check should always be the first thing we do since we probably can't
  write the log-file in case we're not root
+ Automatically disable IPV6_SUPPORT if IPv6 is not detected in the kernel
+ Add support for mixed IPv4/IPv6 when IPV6_SUPPORT=1