$Id: WhatIsNew,v 1.11 2007/05/20 16:53:22 ktsaou Exp $
What Is New in public releases.
R5 v1.255, May 20, 2007
Fixed kernel 2.6.20+ compatibility issues.
Fixed BASH 3.2 compatibility issues.
Fixed iptables compatibility issues.
FireHOL supports external definitions of RESERVED_IPS,
PRIVATE_IPS, MULTICAST_IPS, UNROUTABLE_IPS in /etc/firehol.
Also, complains if RESERVED_IPS is older that 90 days.
Policy, now works on routers too.
Updated services: nfs, OSPF, sip, vmwareweb,
Added protections: bad-packets, all-floods
Added actions: TARPIT
Added support for the RECENT iptables module.
Added addrtype support in optional rule parameters.
Added FIREHOL_DROP_ORPHAN_TCP_ACK_FIN for busy servers.
Added FIREHOL_LOG_PREFIX to improve logging.
Fixed various minor bugs.
R5 v1.226, Jan 30, 2005
Still there were issues with the temporary files.
Fixed all of them for good.
R5 v1.224, Jan 25, 2005
Added services ANYSTATELESS, TIMESTAMP, DICT. Added support for
Fixed various minor bugs and eliminated all vulnerabilities
where malicious local system users could use FireHOL's temporary
files to overwrite arbitrary files on the system
R5 v1.214, Nov 1, 2004
This is a major release which includes several updates and fixes.
All users are advised to update to this version. This release
includes new service definitions: NIS, NUT, NNTPS, ASTERISK,
DARKSTAT, DISTCC, ESERVER, GIFT, GIFTUI, H323, IAX, IAX2, ICP,
RTP, SIP, STUN, UPNP, RDP, NXSERVER, RADIUSPROXY, RADIUSOLDPROXY.
The following service definitions have been updated: DHCP, SAMBA,
NFS. The following helpers have been added: TOS, DSCP, TCPMSS,
ECN_SHAME. The following optional rule parameters have been added:
TOS, MARK, DSCP. Added support for automatic installation of
service definitions with third party packages, in
Also, FireHOL now has improved interoperability with various
Linux distributions, including BASH 3.x, updated RESERVED_IPS
for current IANA IPv4 reservations, finer control on ACCEPTed
services to allow controllable requests per second, the
ability to control loopback traffic and support for service
R5 v1.191, May 2, 2004
This release features more services, including ORACLE, GKRELLMD,
DCC, WHOIS, fixed CUPS, enhanced SAMBA services, new optional
rule parameters, including PHYSIN, PHYSOUT, updated MAC helper,
better compatibility, better kernel module management, support
for ULOG logging, better iptables statements generation, updated
PRIVATE_IPS for IANA reservations, and various bug fixes.
All users are advised to update to this version.
R5 v1.159, Oct 10, 2003
This release features more services including MSN, DCPP, JABBER,
JABBERD, WEBMIN, TIME, POSTGRES, HYLAFAX, XDMCP, TFTP, Veritas
NetBackup, many updates and fixes to other services, three new
helpers, the MAC helper (global pairing of MAC and IP addresses),
the BLACKLIST helper (blacklist certain IPs - unidirectional or
bidirectional), the MARK helper (mark packets for use by QoS),
two new optional rule parameters, MAC (match source MAC address)
and OWNER (match the user sending traffic), and it also provides
better interoperability with various distributions (mainly
Gentoo - also firehol now detects if all needed commands are
present), more control on kernel module management (and better
detection of iptables modules compiled in the kernel), more
control on firewall status during a firewall restart, cleaner
iptables commands generation, better support for kernel 2.6.x,
R5 v1.120, Apr 6, 2003
The main new feature of this release is the HELPME function that
detects and produces the FireHOL configuration for the host run.
Additionally, this release introduces a new PANIC mode which is now
handled entirely by FireHOL, has better handling of the MIRROR target,
has wider support for SNMPTRAP and SYSLOG, a definition for the
SOCKS service, and better interoperability with various Linux
distributions (i.e. Debian).
R5, v1.91, Feb 18, 2003
This release adds support for controlling log levels on a per rule basis,
updated RESERVED_IPS variable according to the latest releases of IANA,
and a few minor fixes to increase compatibility on various Linux
R5, v1.89, Feb 3, 2003
This release adds the service eMule (for clients, servers, and routers),
supporting the bi-directional socket environment required by the popular
eDonkey network client.
R5, v1.88, Jan 30, 2003
This release fixes all reported problems related to NAT. FireHOL now
fully supports DNAT, SNAT, REDIRECT, and MASQUERADE implemented as
helper commands, and also the TRANSPARENT_SQUID helper for setting up
transparent HTTP caches running on the firewall host (supporting
transparent caching for traffic targeting, passing through, and
originated from the firewall host).
R5, v1.85, Jan 28, 2003
The masquerade helper has been fixed to handle the 'reverse' keyword
correctly and accept the network interface as expected.
R5, v1.83, Jan 27, 2003
This release adds support for NAT (SNAT, DNAT, and REDIRECT), support
for the OWNER iptables module (user, group, session, and process),
various error handler enhancements, support for runtime warnings (for
missing kernel modules; it now runs on kernels compiled without
modules), and a few workarounds for bugs in iptables-save (regarding
the owner module).
R5, v1.70, Jan 8, 2003
In this release the services ping, AH (IPSEC), ESP (IPSEC), GRE, and
microsoft_ds have been added, the action REJECT has been changed to be
"smart" and send TCP RST on TCP and ICMP port unreachable on all other
protocols, various speed optimizations have been applied, and a
"transparent_squid" helper has been added to take care of port
forwarding for setting up a transparent cache.
For files released before 2003, please check the ChangeLog file.