Linux Firewall :: Changelog

rc.firewall Linux Firewall

>> PROJECT HOMEPAGE

Changelog

2.0rc11->2.0 (final)

Documentation and website address updates.

2.0rc10->2.0rc11

Updated how firewall determines version of external configuration file. (bugfix)
Updated how the firewall determines the interface netmask to handle interfaces with nonstandard ifconfig format. (bugfix)
Added a new RFC_1122_COMPLIANT option "depends" that automatically turn off RFC_1122_COMPLAINT if we have no ports open.
Firewall now disables log_martians if we do not have logging enabled.
Added advanced feature documentation and some firewall behavior documentation in the script as comments in order to eliminate the need to refer to online documentation.
Some minor spelling and grammer updates and some minor code cleanup.
Updated sanity checking operations on STATIC_INSIDE_OUTSIDE in order to prevent forwarding to an address assigned on one of the firewall's internal interfaces. (bugfix)
Removed stateful inspection from packets originating from localhost. Now we accept all packets that we generate ourselves. (buxfix)
Firewall now assures that temporary bash variables are reset before using them and removed deprecated use of OPEN_PORTS and TRUSTED_NETWORKS in configuration file update code. (security fix)
New 'status' command line argument determines if the firewall has been enabled or not.
New 'help' command line argument gives documentation on using command line arguments.
Firewall now provides an error message for invalid command line arguments.
Updated how and when firewall warns about overwriting a configuration file with 'save' argument.
Default policy now set after iptables rules are configured to avoid problems running rc.firewall with filesystems mounted over NFS. (bugfix)

2.0rc9 -> 2.0rc10

Fixed DUMP_TCP_ON_INIT for use with 2.6 kernels.
LANG variable is now used to display 'ifconfig' output in the English language if either /usr/share/locale/en_US/LC_MESSAGES/net-tools.mo or /usr/share/locale/en/LC_MESSAGES/net-tools.mo exist.
Firewall now shows the public address in the exit message when FIREWALL_IP is enabled.
Improved error messages for STATIC_INSIDE_OUTSIDE.
Updated instances of deprecated coreutils syntax, e.g. "head -#" was changed to "head -n #".
Firewall now issues a warning when trying to overwrite a configuration file with 'save' instead of 'update'.
Port forwarding now correctly uses original inbound port range as destination port range when destination ports are not explicitly specified.

2.0rc8 -> 2.0rc9

ICMP echo-request packets are now allowed through the firewall to all hosts on the DMZ if the RFC_1122_COMPLIANT option is enabled.
Installer version 1.1 security-fix: Remove filename from /tmp before writing to it.
Eliminate ./rc.firewall clear garbage output when used with a non-modular kernel.
New option: "SHARED_INTERNAL" to control access between internal networks.
Added explanation of default internal network behavior in PERMIT documentation and added minor updates to Advanced Documentation section.
Functions for ALLOW_INBOUND and DENY_OUTBOUND heavily modified to provide more intuitive firewall behavior.
Various minor wording changes in error messages and comments.
New function "FIREWALL_IP" provides a solution to allow a Linux firewall to be transparently inserted between a public network and its border router.
Port forwarding setup function updated.

2.0rc7 -> 2.0rc8

xbits() COUNT variable changed to NUM to avoid conflict in STATIC_INSIDE_OUTSIDE [bugfix]

2.0rc6 -> 2.0rc7

Option to ignore interfaces.
Option to dump established TCP connection on firewall initialization.
New TTL stealth router mode. Requires TTL kernel patch above.
Option to drop new packets without the SYN flag set.
Log limiting and levels can now be changed via configuration options.
Use of iptables-save in save function and fast restore option for static speed sensitive applications.
Support for updating configuration files from any version of rc.firewall.
PERMIT parsing bugfix.
Fix to allow ICMP-ECHO-REQUEST replies to be sent when configured as a router with no assigned IP addresses.
Pretty progress dots for firewall configuration.
Firewall now checks for proc filesystem support.
ip_forward is now enabled after firewall rules are in place.
All modules besides ip_conntrack are unloaded when the firewall is stopped.
STATIC_INSIDE_OUTSIDE can now handle connections from the network on which the inside host resides.
Option to allow systems on your local external network to bypass the firewall.
Code cleanup in various functions.

2.0rc5 -> 2.0rc6

Numerous minor bugfixes.
Support for DMZ interfaces.
New BLACKLIST option to tame very badly behaved hosts.
Combined OPEN_PORTS and TRUSTED_NETWORKS into a single configuration option called "PERMIT".
Port forwarding now works from the local machine, provided you have iptables 1.2.6a+ and kernel 2.4.19+ with CONFIG_IP_NF_NAT_LOCAL enabled.
Option to always load an external configuration file.

2.0rc4 -> 2.0rc5

Huge speed increase from eliminating nameserver lookups in various sanity checking operations.
Unloads ipchains before modprobing required modules.
Added intelligence for an interface that is up but doesn't have an address yet (dhcp is searching for an address).
Assorted other sanity checking code cleanups. Special thanks to Stepan Kasal <kasal@math.cas.cz> for numerous patches.
TRUSTED_NETWORKS can now access internal hosts through a non-nat firewall.
Added support to selectively allow inbound sessions from/to specific hosts/ports on a non-nat network.
Added support for selectively blocking access from internal network to selected hosts/networks/ports.
Support for static one to one mapping of internal and external addresses through the firewall.
Fix port forwarding on dynamic external interfaces.
Fix traceroutes broken due to ICMP DNAT information leak workaround.
Script now checks for Local Loopback interface.
Script now performs route compaction (intelligently removes redundant networks).
Script now checks definitions relating to the internal network against internal networks actually available.
Configuration file can now be loaded and saved from any location.

2.0rc3 -> 2.0rc4

More updates to port forwarding code.
Added complete descriptions of basic directives and removed descriptions for advanced directives with a reference to the online documentation.
All sanity checking is now completed before any changes to the current system configuration are made.
Added support for optional firewall configuration file using 'saveconfig' and 'loadconfig' execution arguments.
Support for port specification on trusted networks.
Added support for dynamic (dial-up) internal interfaces.

2.0rc2 -> 2.0rc3

Only source NAT connections leaving the same interface they came in on. Fixes port forwarding caveat #2. 2.0rc3 will requires mangle table support, the MARK target, and the mark match module to do port forwarding.
Add rp_filter support.
Change STATIC_IP to DYNAMIC_INTERFACES to allow for finer control over NAT.
Disable IP aliasing support where it doesn't make sense.
Fix TRUST_ROUTED_NETWORKS bug.
Make port forwarding select connections to forward more rigorously.
Pretty progress dots.
Various other minor improvements.

1.8 -> 2.0rc2

Tons and tons of error checking, both for user input and in verifying that the current system configuration usable, with much more verbose success and failure messages.
Powerful port forwarding directives.
Logging support.
Support for SysV style initialization. The 'start' and 'restart' arguments are redundant and are equivalent to running the script without any arguments at all. The 'stop' argument removes all existing firewall rules ('stop' and 'clear' are synonymous).
External interfaces no longer need to be specified, they are automatically determined.
Automatically modprobes required modules.
Support for routing without doing NAT.
Support for routing additional internal networks.
Support for routing internal network connections but not trusting them to connect to the machine itself.
Support for interfaces with non-static addresses.
Explicitly allow packets from loopback interface instead of having the loopback address as a trusted network.
Support for multiple internal and external interfaces and IP aliasing [e.g. eth0:1].
PATH is now explicitly specified.
Added primitive route verification, script now checks that packets from routed networks are received on internal interfaces.
Allowing internal DHCP packets is now optional.

1.7 -> 1.8

Changed default policy in the filter table to DENY on the FORWARD and INPUT chains. Packets matching ESTABLISHED and RELATED states are now explicitly allowed, while those matching the INVALID state now fall off the end of the chains. This required adding explicit state matching to all rules. The script is still functionally exactly the same.
Default configuration no longer has any trusted hosts.
Enabling the RFC 1122 compliance option now only allows ICMP type 'echo-request' (as opposed to all ICMP packets) and gracefully rejects unmatched NEW connections.
Rewrote TRUSTED chain implementation.
Added -n to NOT look up hostnames when checking `iptables -L`. Very important if you cannot reach your nameserver!
When IS_ROUTER is enabled, the script now automatically adds the internal network to the list of trusted networks and allows access to UDP port 67 (DHCP) from the internal interface.
Added checking to determine if interfaces being used are actually up.
Some formatting cleanup.
Added loopback addresses as a trusted network [127.0.0.0/8].

1.6 -> 1.7

First release under GPL licensing.
Added Changelog.
Location of iptables no longer defined in-script. Make sure iptables is in your path.
Tests for existence of nat and mangle tables.
Integrate separate workstation, server, and router scripts into one script.
Remove explicit redirection of packets from the internal network to the external interface. The kernel does this for us.