~ubuntu-branches/ubuntu/trusty/arno-iptables-firewall/trusty

Version 1.9.2l (August 25, 2010)
--------------------------------
* BusyBox doesn't understand grep -x, so use ^$ instead + dots should be escaped (thanks Lonnie)
* Slightly safer check on whether we have IPv6 on the system we're running
! IPv6 detection failed due to our systctl wrapper function being to verbose. This caused IPv6 to always be
  "open" on systems having IPv6 connectivity (Debug bug #594326, thanks to Tim Small for reporting this)
* From now on explicitly set all variables for sysctl wildcard variables (like "net.ipv4.conf.*.rp_filter")
  since newer kernels handle those differently now (Thanks to Klemen Mihevc)
+ The "Blocked Host" feature adds the BLOCK_HOSTS_BIDIRECTIONAL option to specify whether hosts are
  blocked both Inbound and Outbound (default) or Inbound only. (Thanks Philip)
* Don't masquerade IPv6/proto 41 (thanks Klemen Mihevc)
* Use unset IFS only for actual rules
* Re-added local IFS in environment
+ Added option to enable/disable antispoofing for internal/dmz nets
! Don't "unset IFS" immediately after "local IFS" declaration in functions, this breaks older shells
+ Added option to enable/disable IGMP logging
! Modprobe didn't work properly for old modprobe/distros when modules were compiled in-kernel
+ Configure option to allow user to enable full access for the external subnet
+ Implemented EXT_BROADCAST_CHAIN

Version 1.9.2k (March 25, 2010)
-------------------------------
! check_interface() function didn't work for VLAN interfaces
! Several tweaks & fixes in the install script
+ Add old version detection to the install script
+ Added "Kernel Configuration Special Issues" section to README
+ Updated traffic-shaper-plugin, added two more queues, added more DSCP matches,
  updated "traffic-shaper.conf" template and support local server source port matches.
+ Added 224.0.0.0/24 to the list of broadcast destination addresses
+ Updated traffic-accounting-plugin

Version 1.9.2j (February 26, 2010)
----------------------------------
+ Check for dig/nslookup in the main script when RESOLV_IPS=1
! PLUGIN config & binary path check should be in the main script else our
  install script fails on fresh installs or old 1.8 upgrades

Version 1.9.2i (February 23, 2010)
----------------------------------
* Modify the install script to make the firewall start after the network is brought up on boot
+ Add dig() function wrapper that degrades to nslookup if dig is not available
* Refactor check_binary() into seperate check_command() & check_command_error() functions
+ New DynDNS & Traffic Accounting plugins. Main improvement is that they feature
  host caching now
* Have a seperate function to check our config so we don't fail on a bad config when eg. stopping
+ Have the install script detect interfaces and their properties
* Better (wildcard) interface detection in the main script
* Don't autodetect interface addresses etc. in the main script, instead do it during install
! sysctl() always applied the -w argument which it shouldn't
! DNS failed during startup
* We shouldn't just default (too much) to ANYHOST and/or ANYPORT, if not specified. This is too user error-sensitive (including myself)
! Can't have defaults for protocols
* Misc. tweaks & cosmetics

Version 1.9.2h (January 5, 2010)
--------------------------------
! %0d in the date format is not supported by busybox so replace it with %d (thanks Lonnie)
! Init script for newer Debian/Ubuntu version. Start on system startup,
  only stop on system shutdown. Moreover, do not wait for syslog, but start
  whenever there is network (thanks downstream/Michael Hanke)
* Cleaned up/tweaked sysctl & modprobe functions
* Consistently use 'ip' instead of 'ifconfig' to obtain interface attributes.
+ Add iptables_batch() function to greatly decrease the time to add the "Blocked Host" rules.
  iptables_batch() uses iptables-save and iptables-restore to add rules in batch rather than one-by-one.
  This feature may be disabled by setting DISABLE_IPTABLES_BATCH=1
! Fixed typo in module_probe deprecation warning
+ Autodetect netmask & broadcast addresses for INT_IF & EXT_IF
+ Add a default DROP to the HOST_BLOCK_SRC and HOST_BLOCK_DST chains while they are being built,
  this is most important when using the 'force-reload' verb.  During the time the Blocked Hosts are
  being applied, no new traffic will be allowed in any direction.
+ Add a check for the '-' character in the ip_range() function for improved execution speed.
* The "Blocked Host" feature now also matches the destination address for outbound traffic in addition to the
  previous matching of the source address for inbound traffic.
* The "Blocked Host" logging is now implemented as one rule rather than a rule for each blocked host.
* The "Blocked Host" file may now include a semicolon ';' as a comment delimiter, per the Spamhaus DROP list.
* The "Blocked Host" file (re)load now displays an activity count since this can take awhile.

Version 1.9.2g (November 17, 2009)
----------------------------------
- Removed incorrect comment in sip-voip.conf
! Fixed logging of packets in the INPUT chain because of incorrect use of the POST_INPUT_xxx chains
! Fixed dropping of packets in EXT_INPUT_CHAIN + we should jump into the POST_INPUT_CHAIN first before we DROP

Version 1.9.2f (November 10, 2009)
----------------------------------
* Tweaked some kernel settings
! Fixed modprobe errors. Always use $@ as $* might do things you don't expect! (Thanks Lonnie!)
! Don't disable TCP sack when DoS-reducation is enabled since performance degrades from it

Version 1.9.2e (November 9, 2009)
---------------------------------
+ Added some more DOS-prevention kernel settings (thanks Michiel Klaver)
+ IPv6 module updates
+ Implemented support to set INDENT(space) value for functions in environment
+ Added sysctl_multi() & modprobe_multi() functions to allow probing for several modules/variables at once
! Unify date format in the log (Debian bug #550222)
* Only apply DNAT ctstate rule if explictly enabled from the config file
  (using the NAT_LOCAL_REDIRECT variable). The previous implementation was simply
  too much of a hack.
* We should explicitly enable net.netfilter.nf_conntrack_acct for kernel 2.6.27+
  to allow the use of traffic accounting and such (thank Lonnie)
* Don't /dev/null iptables -t nat related stuff. We just need the nat module, and that's all there is to it
! DROP any new traffic while firewall rules are generated so improper states are not created during start/restart
* The default OUTPUT policy no longer sees traffic after setting up the firewall rules in the chains
! Removed an unconditional ACCEPT in the EXT_OUTPUT_CHAIN keeping the POST_OUTPUT_CHAIN from seeing EXT_IF traffic
! Several fixes/changes for the POST_xxxx_CHAINs. This should make the POST stuff more
  consistent among INPUT/FORWARD/OUTPUT
* Misc. tweaks

Version 1.9.2d (August 24, 2009)
--------------------------------
* Renamed module_probe() to modprobe() and added deprecation warning
+ Updated traffic accounting plugin. Fixes another "rule-leak"
+ Updated sip-voip plugin (thanks Philip)
+ Updated traffic-shaper plugin (thanks Philip)

Version 1.9.2c (July 29, 2009)
------------------------------
! On reinit we must flush all chains in the nat & mangle tables else
  they will keep growing (Thanks Lonnie)
+ Updated IPSEC VPN plugin (Thanks Philip)
+ Updated Traffic Accounting plugin
+ Updated DynDNS Open plugin
+ Updated IDS plugin
! Fixed ICMP checks for IPv6
* Less defaulting to all ports/all hosts for several rules. This should mainly
  improve security in case of incorrect rules/configurations

Version 1.9.2b (June 25, 2009)
------------------------------
! Fixed DSL plugin causing errors on restart
* Detected iptables errors are now reported as WARNING rather than ERROR when the script finishes
+ Updated IPSEC-VPN plugin (Thanks Philip)
* Moved .aif_active_plugins to /var/tmp/
+ Detect plugins on stop() that have their priority number changed

Version 1.9.2a (June 9, 2009)
-----------------------------
* Dropped requirement of the ip binary in the main script

Version 1.9.2 (June 4, 2009)
----------------------------
* Bumped installer version to 1.0
! Fixed check_binary failed on dash-based systems (like Ubuntu) (Thanks Lonnie!)
! Fixed some bashisms
! Fixed DMZ_LAN_HOST_OPEN_IP didn't work

Version 1.9.1-RC1 (May 20, 2009)
--------------------------------
! Fixed DMZ_LAN_HOST_OPEN_xxx source hosts weren't parsed properly (Thanks to Lonnie Abelbeck)
! Fixed LOG_HOST_OUTPUT_xxx format error (Thanks to Lonnie Abelbeck)
+ Added local DNAT redirect support (Thanks to Philip Prindeville)
+ Added experimental DMZ-NAT plugin (Thanks to Philip Prindeville)
+ Implemented NAT_PREROUTING_CHAIN, POST_NAT_PREROUTING_CHAIN,
  NAT_POSTROUTING_CHAIN & POST_NAT_POSTROUTING_CHAIN chains
* Replaced DMZ_IF_TRUST and INT_IF_TRUST with the new IF_TRUSTS variable.
  You can use | to create seperate groups of interfaces.
+ We now detect whether iptables (/ip4tables/ip6tables) failed (somewhere)
  during startup and report this at the end
! Fixed NAT_FORWARD_IP not working
! Several fixes/changes in the rule parsers
* Moved from using the $IPTABLES/$IP4TABLES/$IP6TABLES variables to functions
  (Thanks Philip Prindeville). This should eg. allow proper tracing.
+ Iptables errors will now be shown in red, to better point them out
+ Implemented some additional chains (for eg. plugin use)
- Reverted flushing user chains before stopping plugins, it causes disconnections.
* Several cleanups/optimizations (thanks to Philip Prindeville, Lonnie Abelbeck
  & Roy Lanek)
* Major cleanup of functions etc.

Version 1.9.1-BETA1 (April 5, 2009)
-----------------------------------
* On a restart the "user_chains" are now flushed before the plugins are stopped
+ Implemented INPUT/FORWARD/OUTPUT_CHAIN. In this way we no longer have to clutter
  the builtin INPUT/FORWARD/OUTPUT chains.
* !!!! Changed the seperator for interface restrictions to # (eg. eth0#.....)!!!
  This code is now much cleaner and the way rules work is a lot more logical :)
! Fixed warnings with newer iptables versions
+ Plugin status & stop are now only called when the plugin is actually listed
  as being previously loaded (Thanks to Lonnie Abelbeck). ALL PLUGINS MUST BE
  UPDATED ACCORDINGLY!
* Rewrote the startup (and restart) code. This should make the restart command
  working a lot better (although it may also have broken some stuff)
+ Misc. tweaks
+ Added option to use extra arguments for functions that use dig
+ Updated several plugins
! EOL specification was invalid in the environment file

Version 1.9.0b (February 27, 2009)
----------------------------------
! Fixed some security issues concerning firewall restart (thanks to Lonnie Abelbeck)
! Fixed invalid EOL causing blocked hosts to fail
! Fixed invalid sed-syntax causing blocked hosts to fail
- Removed MAC-filter from the main script (will be moved to seperate plugin)
! Fixed OUTPUT policy didn't get applied
! Fixed LOG_xxx_INPUT should be LOG_INPUT_xxx in the config file
* Small tweaks in the install script
+ Added wildcard_ifs() function to the environment-file
+ Updated several plugins
* Cleanup + fixed several typos (thanks Philip Prindeville)
* The restart command will now block all traffic from the external interfaces.
+ Host-block now has the option to keep established TCP connections, usefull for
  our restart command to NOT kill any running SSH connections
+ New (seperate) MAC filter plugin. Also allows to "lock" a MAC to an IP now

Version 1.9.0a (January 8, 2009)
--------------------------------
! Several fixes in the install script

Version 1.9.0 (January 7, 2009)
-------------------------------
+ Some more fallback safeguards
! Fixed LAN_INET_HOST_DENY_TCP/UDP (stupid typo)
! Trimmed too long log messages
* Set timeout/retry values to default for dig functions in the env-file
! Fixed sysctl for eg. busybox setups which don't support -q. Implemented sysctl
  wrapper for this (like with module_probe())
+ Added new traffic shaper (thanks to Lonnie Abelbeck)
- Removed old hfsc traffic shaper
+ Added net.netfilter.nf_conntrack_max as additional sysctl key
+ Added AIF:-prefix to all LOG messages
+ Added ENV_FILE fallback in case it's not specified in the config-file
+ Enhanced the environment file to make it more robust in case config stuff is missing
- Removed <=2.2 kernel check
! Minor fix in the init script
! Fix bug in the install script which broke setting basic config
* Disabled verbose by default in the init script (set VERBOSE=1 inside
  /etc/init.d/arno-iptables-firewall to enable again)
* Misc. plugin updates
* Misc. tweaks in the install script

Version 1.9.0-rc4 (November 23, 2008)
-------------------------------------
! Fixed hfsc plugin on ubuntu
! Fixed install script on ubuntu
* Moved /usr/share stuff to /usr/local/share (where it belongs). This is hopefully
  the last major change.
+ Updated DynDNS plugin to 0.23BETA. It now automatically creates/removes the cron job
+ Updated Traffic Accounting plugin to 0.2BETA
* man pages are now gzipped by the installer
! Fixed incorrect configuration file used for the transparent proxy plugin
! Installer didn't setup a symlink in /etc/rcS.d to start the firewall at boot
+ Added uninstall script
! Several fixes in the install script
* Misc. tweaks & fixes

Version 1.9.0-rc3 (September 4, 2008)
-------------------------------------
! Fixed dsl-ppp-modem plugin was accidently DOS-formatted
! Fixed dsl-ppp-modem was accidently referring to adsl-ppp-modem.conf instead
  of dsl-ppp-modem.conf
! Fixed aliased-inet-IP support in the NAT forwarding code
! Fixed several problems in the installation script
! Fixed broken dyndns-plugin
* Cosmetic tweaks

Version 1.9.0-rc2 (September 3, 2008)
-------------------------------------
+ Added new DynDNS plugin to open ports for DynDNS (internet) hosts
+ Updated serveral plugins
* Default policy for LAN->INET, DMZ->INET, INET->DMZ etc. is now ACCEPT (at the
  (end of the chain) unless an OPEN_xxx is specified, in that case the default is DROP
! Fixed the use of source-destination-ip's with NAT forwards
+ Basic install script added (install.sh). Probably can use a lot of improvements.
* Moved a lot of functions/variables into a new separate "environment"-file.
  (located in /usr/share/arno-iptables-firewall/). This should make easier for
  eg. helper-scripts to use AIF's functions & variables
* Minor changes/updates in the plugins (slighty modified skeleton for example)
- Removed dsl ppp modem code and moved it into a separate plugin
* (Cosmetic) tweaks in the module_probe() function
- Removed transparent proxy code and moved it into a separate plugin
* IPv6 drop-policy setting (when IPv4 is selected) now only performed if IPv6
  is available on the system
+ Added $network to the Debian LSB headers
* IDS plugin now uses priority 90 (near last)
* Linux-igd plugin is no longer enabled by default (it was never intended to be so)
* Changed default firewall log file to /var/log/firewall.log
* Renamed POST_INPUT_CHAIN to POST_INPUT_DROP_CHAIN (+updated IDS plugin accordingly)
+ Implemented new POST_INPUT_CHAIN, POST_FORWARD_CHAIN & POST_OUTPUT_CHAIN
* Misc. (cosmetic) changes

Version 1.9.0-rc1 (July 29, 2008)
----------------------------------
! Fixed a bug in the nat forwarding code causing interfaces not to work
+ Updated ipsec-vpn plugin (& renamed from "racoon-ipsec-vpn")
* Updates to the README-file
* Misc. changes

Version 1.9.0-beta3 (May 25, 2008)
----------------------------------
+ Implemented check-conf argument to only perform a sanity check
! Fixed no_broadcast code
+ Added HIGHLY EXPERIMENTAL IDS plugin
+ Added IDS hook in the main script (via POST_XXX_XXX CHAINS)
+ Added stop-block argument
- Deprecated LOOSE_UDP_PATCH
* Switched from /proc to sysctl for setting kernel options
* Missing sysctl conntrack setting is NOW fatal
! Fixed unreferenced get_protos_ip
+ Added $network to the Debian init.d headers
* Misc. (cosmetic) tweaks

Version 1.9.0-beta2 (March 23, 2008)
------------------------------------
! Fixed echo output showing hosts that shouldn't be displayed
* Now IPv4 traffic will have a default policy of DROP when IPv6 is enabled and visa versa
+ Added LOCAL_CONFIG_FILE variable to allow eg. certain user/global/local settings
  to be sourced into the script
+ Implemented plugin_status() support
+ Implemented plugin_stop() support
+ Updated several plugins. Multiroute now has a proper stop() section for example
! Fixed error on missing /proc/ queue_maxlen....
! Fixed support for legacy plugins

Version 1.9.0-beta1 (January 17, 2008)
--------------------------------------
! Fix /proc/.../ conntrack set for newer kernels
! Fixed bug (typo) in $REJECT_TCP_NOLOG
! Fixed DEFAULT value's in the helper parsing functions causing eg. simple portforwards
  not to work
! Fixed missing default value's for the source hosts in the NAT portforwards
! Several (regression) fixes in the NAT forwarding rules
! Fixed a regression bug in the module_probe() function
! Several regression fixes in the interface sanity_check()
* Minor cosmetic changes

Version 1.9.0-ALPHA2 (December 18, 2007)
----------------------------------------
! Fixed ICMPv6 types
* All (user) chains are now created in the beginning to allow plugins/custom
  rules to add rules to them.
+ Implemented separate variables for the iptables & ip6tables binaries. Instead
  of selecting the binary itself, IPv6 support can now be enabled/disabled via
  variable IPV6_SUPPORT
! Several fixes for IPv6 support
+ Implemented IPV6_SUPPORT variable for the "actual" IPV6 support
* Moved "old" IPV6_OVER_IPV4 to a plugin
* Host block now performed for ALL interfaces, not just the external one
* ICMP flooding changed from 20/sec max to 60/sec max.
+ Added suport for aliased external interface / multi-IP support. You can now
  also use the IP (instead of interface) of the interface to restrict INPUT/OUTPUT-
  rules
! Fixed the HOST_ output logging rules
! Fixed interface check in sanity_check()
! Misc. bug fixes
+ Major cleanup
* Cosmetic changes

Version 1.9.0-ALPHA1 (December 5, 2007)
---------------------------------------
+ Added DEFAULT_POLICY_DROP option to allow users to disable setting iptables
  default policy to DROP. Mainly useful for people who boot from eg. NFS
  (diskless client systems).
+ DNAT plugin update. Switched from OUTPUT to PREROUTING for the DNAT rule.
! Fixed a minor bug in the NAT forwards: the FORWARD rule was missing the host destination
+ Experimental IPv6 support. You can switch from IPv4 to IPv6 by simply changing
  the iptables into "ip6tables". Note that I'm currently not able to test it, as
  I don't have any IPv6 environment.
* NAT forwards no longer use : for host/port separation due to problems with
  future IPv6 support. Now the new separator (~) is also used for this.
+ Implemented DMZ_IF_TRUST trust, to setup DMZ-DMZ trusts
* Antispoof for DMZ & INTERNAL net now only enabled when INT_IF / DMZ_IF set
+ Implemented start/stop command for plugins. Now plugins can also contain code
  to be executed whenever the firewall stops. The start or stop command is
  put the environment variable called "PLUGIN_CMD" (which the plugin can read).
+ Major (and I mean, really MAJOR) code cleanup. This possibly broke a lot of stuff.
+ Implemented IP address ranges for ALL variables (use like 192.168.1.10-20)
+ Implemented support for restriction rules to apply only for certain external interfaces
* !!! Separator for combined host/port rules changed from : to ~ . This is mainly to
  be able create cleaner/easier parse functions & prevent any possible problems
  with the support for IPv6 (addresses), which also uses : !!!!
! Fixed INVALID rule for UDP
* Changed the name of a lot of inconsistent variables. Unfortunately this means
  that the new config won't be fully backwards compatible with firewall version 1.8
* Changed order of some of the variables in the config file so they are more
  synced to the logic flow/order of the firewall script
* Plugin support moved to the main script
* Plugin binaries moved to /usr/share/arno-iptables-firewall/plugins
+ (Finally) implemented nice init.d script with configurable verbosity
* Misc. cosmetic changes