1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
|
firehol (3.1.7) - 2020-12-31
* FireHOL
- Fix dhcpv6 example to say dhcpv6 #438
- blacklist - add "nolog" option
- blacklist - reject with tcp-reset for outbound TCP connections
- firehol.service - Use `firehol start` for ExecReload=
- Don't drop icmpv6 rules with FIREHOL_RULESET_MODE optimal #372
* FireQos
- workaround for cases where "-ifb" name gets truncated
- Fix for low-res timer check on openwrt
* Common
- Replace Travis with Github actions
- Various typo fixes
- Print unit test names as we run them
- Unit test fixes for Ubuntu 20.20 output differences
firehol (3.1.6) - 2018-08-13
* FireHOL
- Boot startup fix #260
- docker_bridge helper #114
- Allow newer iptables #264
- Log blocked/dropped packets in synproxy, mac, connlimit, fragments, ...
- Fix wait for netfilter ready when using namespaces
- Fast activation fixes #272
- Allow matching DSCP CS0; fixes #288
- Moved service definitions out of firehol / fireqos into separate files
- Allow DROP_INVALID with any action (e.g. REJECT)
- Add option FIREHOL_ACCEPT_OUTPUT_UNMATCHED_TCP_RST
* FireQOS
- Fix status to works with newer iproute; fixes #317
- Update sample service definition to start after network #315
* Link-Balancer
- linkdown: routes cannot be added or deleted whilst marked invalid #211
* Update-Ipsets
- Various fixes, including #266 #265
- List additions, updates and removals
- Minor enhancements
* Common
- Fix parallel builds #255
- Harden unit tests against tool output changes
firehol (3.1.5) - 2017-09-17
* FireHOL
- Fix some links in documentation
* FireQOS
- Insert a rawmark mask if none specified
* Update-Ipsets
- Support serving ipset files from local web server
- Lower pressure on github
firehol (3.1.4) - 2017-08-20
* FireHOL
- Google hangouts port range fix #235
- Fix hashlimit option names #223
- Documentation improvements, marks #184 and cthelper #94
- Allow negating interface in blacklist #143
* FireQOS
- DSCP match fixes #248
- TCP match fix #249
- Improve docs on using act_connmark to match ingress marked traffic #231
* Update-Ipsets
- Added various lists, removed discontinued ones
- Include URL in user agent string in #217
- Relax umask to allow stats collection by netdata #221
firehol (3.1.3) - 2017-02-17
* FireHOL
- Be more strict when detecting address ranges
Fixes #199 where hostnames such as x-2.example.com are incorrectly
identified as ranges.
* Common
- Create relative links to binaries, which prevents errors when
installing with DESTDIR other than /
Fix for #178 and #201 proposed by @kneeke
firehol (3.1.2) - 2017-02-05
* FireHOL
- Include user policies in chains before handling orphans. Fixes NFS
client where FIREHOL_DROP_ORPHAN_TCP_* options are in force.
- Do not allow server/client statements without any effect on the
firewall; #193
- Saved firewall contents made reproducible by always zeroing counters
and removing the dates from comments
* FireQOS
- Example had an ambiguous shebang which has been removed
* Common
- Running "make check" now exits non-zero if a test failed or none ran
- Various copyright updates
- Fixed pull requests from external repositories; these would previously
fail to build on Travis
firehol (3.1.1) - 2017-01-10
* FireHOL
- Accept correctly spelled keyword stateful as well as statefull
to match documentation
* VNetBuild
- drop ksh support (bash is preferred and required by other programs)
* Common
- drop ksh detection from configure script
* Update-Ipsets
- added urandom.us.to list
- added dataplane.org SIP Invitation and SIP Registration feeds
firehol (3.1.0) - 2016-11-28
* Common
- Rework installation to make full use of autoconf results in all
programs
- Enabled unit tests on "make check", provided the user has
unprivileged user namespaces enabled.
* FireHOL
- Option to disable wizard (reduces required tools slightly) and
other fixes for small systems e.g. OpenWRT
- Emit help in syslog on failure if we are running with no terminal
since otherwise when running via systemd a user cannot see full error.
- Deprecated service ipv6error, not needed since 3.0.0. Moved ICMPv6
RELATED matching earlier to stop user accidentally preventing them.
* VNetBuild
- improve graphviz output
firehol (3.0.2) - 2016-11-22
* FireHOL
- Fix transparent_proxy IPV6 output #164
- sysctl commands for synproxy, did not specify read or write operation
- added manual page for cthelper
- added connlimit to blacklist and iptrap
- added stateful option to blacklist
- FIREHOL_DROP_ORPHAN_TCP_ACK_FIN fixed to match only ACK+FIN
- FIREHOL_DROP_ORPHAN_TCP_ACK_RST added
- FIREHOL_DROP_ORPHAN_TCP_ACK added
- FIREHOL_DROP_ORPHAN_TCP_RST added
- FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 (orphan destination unreachable)
- added the word BLOCKED to the log messages of INVALID packets dropped
* FireQOS
- experimental ematch support #125
- new functions #113
* VNetBuild
- fix for not detecting running vhosts
- added command comments on status output
* Link-Balancer
- Detect if ping -6 should be used #126
* Update-IPsets
- Various feed additions and fixes
* Common
- Fix commit hook regex for newer perl
- Documentation fixes
firehol (3.0.1) - 2016-01-10
* FireHOL
- Add ipv6mld to simplify enabling Multicast Listener Discovery
protocol, required on networks which do multicast snooping.
- Update the example to make it more likely to work copy-pasted,
include MLD
* VNetBuild
- Add pre_up to run commands immediately before an interface is started
* Common
- Packaging fixes
- Command detection fix for :
firehol (3.0.0) - 2015-12-20
* FireQOS
- Bidirectional fixes
- accept DSCP parameters case insensitive
- allow matching within GRE packets
- use configured firehol config directory
* Update-Ipsets
- added jigsaw lists
firehol (3.0.0-rc.4) - 2015-11-28
* Rework packaging
- Simplify version number handling
- Common functions moved to a file in lib
- Allow disabling IPv4/IPv6 at configure time
- Allow disabling any unwanted tools
- Allow disabling manpages and/or docs
- Honour configure script setting for AUTOSAVE and others
- All commands detected via configure, used via variables
Incuding new 'iprange' tool https://github.com/firehol/iprange/releases
* FireHOL
- Fixes to DSCP class
- added protection *connlimit* and *connrate*; removed default mask
from parameter connlimit
- added rule option *connlog* to only log the first packet of connections
added *hashlimit* with all its options
- most actions now accept the keywork *with* which also supports
*with connlimit* and *with hashlimit*
- use iprange --diff mode for comparing ipset versions
* FireQOS
- fail if DSCP and TOS match have been specified at the same time
- various fixes
* VNetBuild
- Eliminate dependency on brctl
* Update-Ipsets
- Promoted from contrib
- Various improvements
firehol (3.0.0-rc.3) - 2015-10-10
* Common
- ipset fixes
- require pandoc 1.12.2.1 and use its features
- iprove contents page in documentation
* FireHOL updates
- made STOP mode exit successfully
- add support for restore when specifying a filename on the command line
- allow multiple "except" rules in statements that accept the keyword
- disabled spinner in explain mode
- add support for comma as an ipset IP separator
- tproxy now uses markdef() to allocate a mark
- save marks.conf only after successful firewall activation
- drop requirement for awk (other programs still use it)
- add log() and loglimit() helpers to allow logging from ipsets globally
- prevented backup of all the ipsets in memory - it takes too long
when the system has many ipsets installed
- rewrote the ipsets functionality so that:s
- it optimizes netsets with iprange if present
- it adapts the maxelem parameter for the updated ipset so that
updating ipsets with big incremental updates does not fail
- maintains compatibility with older ipset versions
(side-effect: calling an ipset update without restarting the
firewall now only support ipsets that are used in firehol.conf)
- if iprange is present, processing of ipsets is a lot faster
* FireQOS updates
- add ability to stop QoS on a specific device
- fix for ERROR columns on some tc versions
- max/ceil % is now relative to parent's ceiling rate
(it was by mistake to parent's base rate)
- warn if a class takes priority outside the valid ranges of HTB (0-7)
- switched default color from blue to green
* Link-Balancer updates
- add wrappers for rawmark() and custommark()
- when a table was already up to date but other depend on it,
it was failing #78
- fix issue when specifying loop and timeout #77
* Contrib (ipsets scripts)
- various fixes and lists added
- support aggregate to optimize netsets
- support syslog logging
- add iprange program, various enhancements over original
* VNetBuild updates
- Added
firehol (3.0.0-rc.2) - 2015-03-14
* Common
- Added --disable-doc to configure script to stop the installation
of PDF and HTML versions of documentation
- Start to bring documentation in line
- Disable colour on non-terminals
* FireHOL updates
- Added synproxy support
- Services "all" and "any" are now simple services. Service "all" now
has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN.
- Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately
- Fix empty firewall case
- Added state NEW to masquerade
- Fix to ensure the final firewall close code emits as both ipv4 and ipv6
where appropriate even if only ipv4 or ipv6 was used for the final
interface/router
- Added action type "sockets_suspects_trap"
- iptrap now creates the trap if it is not already created
- Eliminate a warning for kernels prior to 3.5
- NAT now supports balancing multiple IPs or ports on all NAT modes
- NAT now supports keyword "at" to specify the chain to be attached to
- Optimise multi-port matching rules
* FireQOS updates
- Optimisations
- Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP
- Fixed monitor mode
* Link-Balancer updates
- Fix to stop ignoring fallback gateways
- Use "traceroute -6" not "traceroute6"
firehol (3.0.0-rc.1) - 2015-02-15
* Performance improvements
- Both the script and resulting firewalls are faster
- Choose original complete bi-directional or even faster runtime matching
* New firewall features
- ipset support and management
- IDS and port knocking with traps
- multiple mark definitions
- conntrack helpers
- experimental tproxy support
- separate default settings file
* Introduction of link-balancer script
|
