1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
firehol (3.1.1) - 2017-01-10
* FireHOL
- Accept correctly spelled keyword stateful as well as statefull
to match documentation
* VNetBuild
- drop ksh support (bash is preferred and required by other programs)
* Common
- drop ksh detection from configure script
* Update-Ipsets
- added urandom.us.to list
- added dataplane.org SIP Invitation and SIP Registration feeds
firehol (3.1.0) - 2016-11-28
* Common
- Rework installation to make full use of autoconf results in all
programs
- Enabled unit tests on "make check", provided the user has
unprivileged user namespaces enabled.
* FireHOL
- Option to disable wizard (reduces required tools slightly) and
other fixes for small systems e.g. OpenWRT
- Emit help in syslog on failure if we are running with no terminal
since otherwise when running via systemd a user cannot see full error.
- Deprecated service ipv6error, not needed since 3.0.0. Moved ICMPv6
RELATED matching earlier to stop user accidentally preventing them.
* VNetBuild
- improve graphviz output
firehol (3.0.2) - 2016-11-22
* FireHOL
- Fix transparent_proxy IPV6 output #164
- sysctl commands for synproxy, did not specify read or write operation
- added manual page for cthelper
- added connlimit to blacklist and iptrap
- added stateful option to blacklist
- FIREHOL_DROP_ORPHAN_TCP_ACK_FIN fixed to match only ACK+FIN
- FIREHOL_DROP_ORPHAN_TCP_ACK_RST added
- FIREHOL_DROP_ORPHAN_TCP_ACK added
- FIREHOL_DROP_ORPHAN_TCP_RST added
- FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 (orphan destination unreachable)
- added the word BLOCKED to the log messages of INVALID packets dropped
* FireQOS
- experimental ematch support #125
- new functions #113
* VNetBuild
- fix for not detecting running vhosts
- added command comments on status output
* Link-Balancer
- Detect if ping -6 should be used #126
* Update-IPsets
- Various feed additions and fixes
* Common
- Fix commit hook regex for newer perl
- Documentation fixes
firehol (3.0.1) - 2016-01-10
* FireHOL
- Add ipv6mld to simplify enabling Multicast Listener Discovery
protocol, required on networks which do multicast snooping.
- Update the example to make it more likely to work copy-pasted,
include MLD
* VNetBuild
- Add pre_up to run commands immediately before an interface is started
* Common
- Packaging fixes
- Command detection fix for :
firehol (3.0.0) - 2015-12-20
* FireQOS
- Bidirectional fixes
- accept DSCP parameters case insensitive
- allow matching within GRE packets
- use configured firehol config directory
* Update-Ipsets
- added jigsaw lists
firehol (3.0.0-rc.4) - 2015-11-28
* Rework packaging
- Simplify version number handling
- Common functions moved to a file in lib
- Allow disabling IPv4/IPv6 at configure time
- Allow disabling any unwanted tools
- Allow disabling manpages and/or docs
- Honour configure script setting for AUTOSAVE and others
- All commands detected via configure, used via variables
Incuding new 'iprange' tool https://github.com/firehol/iprange/releases
* FireHOL
- Fixes to DSCP class
- added protection *connlimit* and *connrate*; removed default mask
from parameter connlimit
- added rule option *connlog* to only log the first packet of connections
added *hashlimit* with all its options
- most actions now accept the keywork *with* which also supports
*with connlimit* and *with hashlimit*
- use iprange --diff mode for comparing ipset versions
* FireQOS
- fail if DSCP and TOS match have been specified at the same time
- various fixes
* VNetBuild
- Eliminate dependency on brctl
* Update-Ipsets
- Promoted from contrib
- Various improvements
firehol (3.0.0-rc.3) - 2015-10-10
* Common
- ipset fixes
- require pandoc 1.12.2.1 and use its features
- iprove contents page in documentation
* FireHOL updates
- made STOP mode exit successfully
- add support for restore when specifying a filename on the command line
- allow multiple "except" rules in statements that accept the keyword
- disabled spinner in explain mode
- add support for comma as an ipset IP separator
- tproxy now uses markdef() to allocate a mark
- save marks.conf only after successful firewall activation
- drop requirement for awk (other programs still use it)
- add log() and loglimit() helpers to allow logging from ipsets globally
- prevented backup of all the ipsets in memory - it takes too long
when the system has many ipsets installed
- rewrote the ipsets functionality so that:s
- it optimizes netsets with iprange if present
- it adapts the maxelem parameter for the updated ipset so that
updating ipsets with big incremental updates does not fail
- maintains compatibility with older ipset versions
(side-effect: calling an ipset update without restarting the
firewall now only support ipsets that are used in firehol.conf)
- if iprange is present, processing of ipsets is a lot faster
* FireQOS updates
- add ability to stop QoS on a specific device
- fix for ERROR columns on some tc versions
- max/ceil % is now relative to parent's ceiling rate
(it was by mistake to parent's base rate)
- warn if a class takes priority outside the valid ranges of HTB (0-7)
- switched default color from blue to green
* Link-Balancer updates
- add wrappers for rawmark() and custommark()
- when a table was already up to date but other depend on it,
it was failing #78
- fix issue when specifying loop and timeout #77
* Contrib (ipsets scripts)
- various fixes and lists added
- support aggregate to optimize netsets
- support syslog logging
- add iprange program, various enhancements over original
* VNetBuild updates
- Added
firehol (3.0.0-rc.2) - 2015-03-14
* Common
- Added --disable-doc to configure script to stop the installation
of PDF and HTML versions of documentation
- Start to bring documentation in line
- Disable colour on non-terminals
* FireHOL updates
- Added synproxy support
- Services "all" and "any" are now simple services. Service "all" now
has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN.
- Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately
- Fix empty firewall case
- Added state NEW to masquerade
- Fix to ensure the final firewall close code emits as both ipv4 and ipv6
where appropriate even if only ipv4 or ipv6 was used for the final
interface/router
- Added action type "sockets_suspects_trap"
- iptrap now creates the trap if it is not already created
- Eliminate a warning for kernels prior to 3.5
- NAT now supports balancing multiple IPs or ports on all NAT modes
- NAT now supports keyword "at" to specify the chain to be attached to
- Optimise multi-port matching rules
* FireQOS updates
- Optimisations
- Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP
- Fixed monitor mode
* Link-Balancer updates
- Fix to stop ignoring fallback gateways
- Use "traceroute -6" not "traceroute6"
firehol (3.0.0-rc.1) - 2015-02-15
* Performance improvements
- Both the script and resulting firewalls are faster
- Choose original complete bi-directional or even faster runtime matching
* New firewall features
- ipset support and management
- IDS and port knocking with traps
- multiple mark definitions
- conntrack helpers
- experimental tproxy support
- separate default settings file
* Introduction of link-balancer script
|
