1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
|
ufw (0.35) UNRELEASED; urgency=medium
* update check-requirements and README for python 3.5
* update unit tests to not fail when /proc/net/* has no useful information
(Closes: 797020)
* update rsyslog example to use 'stop' instead of the deprecated '~'
(Closes: 798100)
* add --rootdir and --datadir options to ufw and ufw-init to make
relocatable
* files owned by 'clickpkg' are ok too
* add preliminary snappy packaging
* add support for comments (LP: #448503)
* don't allow 'route delete NUM' and suggest 'delete NUM' instead
* move user[6].rules to /etc/ufw (LP: #728128)
* update README: python3 < 3.4 is no longer supported
-- Jamie Strandboge <jamie@ubuntu.com> Sun, 07 Feb 2016 16:55:26 -0600
ufw (0.34) RELEASED; urgency=low
* refactor capabilities checks and only call when needed
* error out early instead of tracing back with iptables errors in
get_netfilter_capabilities() (LP: #1044361)
* fix TypeError which somehow only manifested itself when using zh_CN
* add 'reload' to help (LP: #1059060)
* check-requirements now gives iptables output on failure. Patch thanks to
S. Nizio.
* use conntrack instead of state module. Patch based on work by S. Nizio.
(LP: #1065297)
* don't use get_netfilter_capabilities() with ipv6 if ipv6 is disabled
(LP: #1039729, LP: #1062521)
* fix parse error when finding PPID (LP: #1101304)
* implement before and after hooks in /etc/ufw/(before|after).init
(LP: #1075975) TODO: add tests
* add unit test framework and cleanup, remove dead and refactor some code
* honor UFW_SKIP_CHECKS=1 environment variable with setup.py, which eases
testing
* tests/check-requirements: add a check for -m rt --rt-type 0 (LP: #1191197)
* match simple rule syntax and don't allow ports with esp and ah protocols
with extended rule syntax
* when displaying extended rules via parser.get_command(), show "out" if the
direction is "out" and there is no corresponding interface
* fix return of various invalid extended rules in parser.get_command()
* clarify 'limit' command in man page (LP: #1089262)
* implement route rules (ie, manage FORWARD, LP: #262421). See man page for
details. This change reworked interface parsing and we now allow
interfaces with '_' in the name (LP: #1098472)
* add state RELATED,ESTABLISHED rule to ufw-before-forward in before*.rules
like we do with ufw-before-input. This will only affect systems with ip
forwarding enabled via sysctl
* add ufw[6]-track-forward chain and handle it the same as for
ufw[6]track-input and ufw[6]-track-output
* document ufw[6]-track-* in README (dropped in previous commit)
* fix for 'status' not distingushing between some v4/v6 targets
(LP: #1078665)
* add safe icmp packets packets to ufw-before-forward in before*.rules like
we do for ufw-before-input. This will only affect systems with ip
forwarding enabled via sysctl
* update check-requirements for python 3.3 and 3.4
* add 5269/tcp to XMPP (LP: #1327162)
* fix traceback with forward rule
* import new and updated Launchpad translations:
- po/ar.po, po/ast.po, po/bg.po, po/bs.po, po/ca.po, po/ce.po, po/cs.po,
po/da.po, po/de.po, po/el.po, po/en_AU.po, po/en_GB.po, po/es.po,
po/et.po, po/fi.po, po/fr.po, po/he.po, po/hu.po, po/id.po, po/it.po,
po/ja.po, po/ko.po, po/lv.po, po/nb.po, po/nl.po, po/pl.po, po/pt_BR.po,
po/pt.po, po/ru.po, po/se.po, po/sk.po, po/sl.po, po/sr.po, po/sv.po,
po/tl.po, po/tr.po, po/uk.po, po/ur.po, po/zh_CN.po, po/zh_TW.po
- thanks to all contributors: https://translations.launchpad.net/ufw
* also use .lower() on translations for 'yes' (LP: #1438647)
* adjust/rearrange before6.rules for rfc4890 'must not be blocked' and
'should not be blocked' (LP: #1434525, LP: #1030214)
* doc/systemd.example: add service file from Ubuntu (LP: #1341083)
* correctly spell qBittorrent (LP: #1273965)
* update man page for app rules (LP: #1155292)
* support igmp protocol (LP: #946322)
* adjust testsuite for systems supporting smtp/udp (LP: #815982)
* enforce that basic commands don't have arguments (LP: #1155250)
* update command completion for --dry-run, --force, --help and route
(LP: #1225666)
* support gre protocol (LP: #1418879)
* support ./setup.py build (LP: #819600)
* doc/ufw.8:
- clarify log level behavior (LP: #1461701)
- add app profile syntax
- add protocol support
* skip profiles with invalid port declarations (LP: #1201934)
* tests/check-locales: skip locales that fail to install or generate
-- Jamie Strandboge <jamie@ubuntu.com> Thu, 20 Aug 2015 11:48:13 -0500
ufw (0.33) RELEASED; urgency=low
* conf/after6.rules: also use correct ports for DHCPv6. Thanks to Marco
Davids (LP: #1007326)
* src/util.py: add get_netfilter_capabilities() for getting the capabilities
set for things we want to support but may not be in all kernels/iptables
versions
* add IPv6 limit support (LP: #951462)
* import new and updated Launchpad translations:
- po/ast.po, po/bs.po, po/cs.po, po/de.po, po/el.po, po/en_AU.po,
po/en_GB.po, po/es.po, po/fi.po, po/fr.po, po/he.po, po/hu.po, po/it.po,
po/nb.po, po/nl.po, po/pt_BR.po, po/pt.po, po/sk.po, po/sl.po, po/sv.po,
po/zh_CN.po, po/zh_TW.po (new, LP: #868195)
- thanks to all contributors: https://translations.launchpad.net/ufw
* README.translations: updated for paths and testing
* add 'show added' report (LP: #987784)
* remove ACCEPT_NO_TRACK option since it never worked (LP: #787955)
* src/backend_iptables.py: display output of ufw-init if it fails
* don't traceback if can't determine iptables version
-- Jamie Strandboge <jamie@ubuntu.com> Sun, 12 Aug 2012 10:58:04 -0500
ufw (0.32) RELEASED; urgency=low
* Obsolete python2.5 in preparation for python3 support
* Adjust gettext initialization so that _() always returns unicode. Patch
thanks to Barry Warsaw
* Add python3 support (LP: #1001657)
* profiles/ufw-directoryserver: use LDAPS key for LDAPS
-- Jamie Strandboge <jamie@ubuntu.com> Sat, 19 May 2012 08:48:15 -0500
ufw (0.31.1) RELEASED; urgency=low
* src/util.py: revert revert r752 which introduced problems with other
locales (LP: #953372)
* add tests/check-locales. This is Debian/Ubuntu specific, but will help
avoid commits like r752.
-- Jamie Strandboge <jamie@ubuntu.com> Mon, 12 Mar 2012 20:26:28 -0500
ufw (0.31) RELEASED; urgency=low
* allow UPnP multicast for service discovery (LP: #764933)
* conf/ufw.defaults:
- remove IRC connection tracking, which is only required for DCC
- allow nf_conntrack_netbios_ns (Samba) (LP: #360975)
* enable IPv6 by default
* fix 'allow to any ipv6' when IPv6 is enabled
* update manpage references to ufw and ufw-framework to include the section
* update check-requirements to prompt to continue with tests that may
autoload modules. Add '-f' option to check-requirements and update test
suite accordingly (LP: #782816)
* don't fail when running 'show listening' under fakeroot (LP: #812516)
* add syntax-check to Makefile
* add man-check to Makefile
* src/util.py: use codes.open(..., 'UTF-8') to better support non-english
locales in third-party frontends. Analysis and patch suggestion thanks to
S. Nizio. (LP: #921758)
* conf/ufw.defaults and doc/ufw-framework.8: add info on tftp connection
tracking modules
* fix traceback when specifying '--dry-run' with no arguments (LP: #946332)
* tests/testlib.sh: add 'http-or-www' argument to do_cmd() to try to
account for /etc/services files with http/udp instead of www/udp. Adjust
bad/apps and root/normalization for this (LP: #947224)
* conf/before6.rules: use correct ports for DHCPv6 and limit source and
destination addresses to autoconfiguration addresses (fe80::/10). Thanks
to Mathieu Trudel-Lapierre (LP: #947416)
* import new and updated Launchpad translations:
- po/ar.po, po/ast.po (new), po/bg.po, po/bs.po (new), po/ca.po, po/cs.po,
po/da.po, po/de.po, po/el.po, po/en_AU.po, po/en_GB.po, po/es.po,
po/fi.po, po/fr.po, po/he.po, po/hu.po, po/id.po, po/it.po,
po/ja.po (new), po/nb.po, po/nl.po, po/pl.po, po/pt_BR.po, po/pt.po,
po/ru.po, po/sk.po, po/sl.po, po/sr.po, po/sv.po, po/tl.po,
po/ur.po (new), po/zh_CN.po
- thanks to all contributors: https://translations.launchpad.net/ufw
* allow multiple interface matching via '+'. Thanks to Oliver Hookins.
(LP: #611838)
* allow application profiles to start with a digit (LP: #663632)
* don't traceback in show listening when a rule references a non-existent
interface (LP: #840500)
-- Jamie Strandboge <jamie@ubuntu.com> Fri, 09 Mar 2012 14:24:24 -0600
ufw (0.30.1) RELEASED; urgency=low
* allow for python 2.7 (verified to work with python 2.7.1)
* fix improper display of error messages. Patch thanks to Serguey Basalaev
(LP: #580032)
* profiles/ufw-mailserver: remove Postfix reference
* fix typo in warning (LP: #637876)
* fix manpage reference to /etc/default/ufw (Closes: 601111)
* mention quoting of application profile names with spaces (LP: #715676)
* fix man-page hyphenation in ufw.8
* run_tests.sh: adjust PATH if iptables can't be found
* adjust /etc/ufw/sysctl.conf to have commented out entries for ipv6 privacy
addressing
* profiles/ufw-fileserver: add svnserve profile (LP: #501140)
* use 'UFW AUDIT INVALID' for INVALID packets in medium and higher
* DROP packets with RH0 headers (LP: #740249)
* update README to discuss the default ruleset
* only allow mDNS multicast (LP: #740256)
* allow ping replies from multicast (LP: #720605)
-- Jamie Strandboge <jamie@ubuntu.com> Tue, 22 Mar 2011 12:06:10 -0500
ufw (0.30) RELEASED; urgency=low
* add example Upstart script
* error out when filesystem is read-only (LP: #430053)
* catch exception if can't find parent pid when refreshing application
profiles (LP: #424528)
* update manpage to clarify 'show' command (LP: #453083)
* update setup.py to use sys.executable and cleanup required binaries
* update test suite
- better handle iptables < 1.4 (tested with 1.3.8)
- allow alternate interpreter
* write loglevel rules to user rules (LP: #459925)
* properly log INVALID packets for medium and higher (LP: #480789)
* Makefile: clean up POTFILES target
* generate binary translations in setup.py rather than shipping them in
source (LP: #490366)
* src/ufw-init-functions: don't run 'already started' check unless
ENABLED. This should improve boot speed such that iptables is not
needlessly called which results in an unneeded modprobe.
* manpage fixes thanks to Loic Minier
* set "default" sysctl values before "all" values. Thanks to Loic Minier
* clean up parser to make it easier to add new functionality
* don't log LIMIT rules if logging is off (LP: #512131)
* fix for noisy services getting logged. Added new 'skip-to-policy' chains
that are now used in after*.rules (LP: #488032)
* add rsyslog example configuration and update README
* add reset command (LP: #436608)
* add --force option to enable (LP: #496267)
* decode("utf-8") some strings in 'status' to correct formatting errors with
with multibyte characters
* add more reports
* add delete by rule number (LP: #367571)
* add support for IPv6 tunnels and 6to4 (LP: #502655)
* fix occasional ufw errors during boot with upstart (/tmp not available)
(LP: #521359)
* normalize IPv6 addresses to standard python shortened notation
* follow iptables and don't require that an interface ends with a number
(LP: #568877)
* really allow IPv6 neighbor discovery (LP: #611982)
* add support for IPSec via the esp and ah protocols (LP: #606997)
* fix traceback in 'show listening' report (LP: #624199)
* fix inaccuracies in 'show listening' report with IPv6 (LP: #625340)
* update check-requirements to not check ip6tables modules needed for the
'limit' command
* import updated Launchpad translations:
- po/ar.po, po/bg.po, po/ca.po, po/cs.po, po/da.po, po/de.po, po/el.po,
po/en_AU.po, po/en_GB.po, po/es.po, po/fi.po, po/fr.po, po/he.po,
po/hu.po, po/id.po, po/it.po, po/nb.po, po/nl.po, po/pl.po, po/pt_BR.po,
po/pt.po, po/ru.po, po/sk.po, po/sl.po, po/sr.po, po/sv.po, po/tl.po,
po/zh_CN.po
- thanks to all contributors: https://translations.launchpad.net/ufw
-- Jamie Strandboge <jamie@ubuntu.com> Fri, 27 Aug 2010 15:30:43 -0500
ufw (0.29) RELEASE; urgency=low
* add egress filtering support:
- CLI command allows specifying direction in simple and extended syntax
- status reporting shows outgoing policy and outgoing rules
- allow changing default outgoing policy
- connection tracking rules for state NEW, when using a default policy
of ACCEPT for INPUT and OUTPUT, are now put in their own chains, rather
than configured in before*.rules
- add state RELATED,ESTABLISHED rule to ufw-before-output in before*.rules
like we do with ufw-before-input, to increase performance
- DEFAULT_OUTPUT_POLICY and DEFAULT_INPUT_POLICY can now also be set to
ACCEPT_NO_TRACK, which avoids adding connection tracking rules for
state NEW
- update documentation for the above
* add tests/check-requirements and integrate into test suite. This script
can be used to make sure that your system has all the required iptables
and netfilter functionality as described in README
* add doc/ufw-framework.8
* allow deletion of non-existent application rules introduced in 0.24.
(LP: #407810)
* import Launchpad translations:
- po/ar.po, po/bg.po, po/ca.po, po/cs.po, po/da.po, po/de.po, po/el.po,
po/en_AU.po, po/en_GB.po, po/fi.po, po/fr.po, po/he.po, po/hu.po,
po/id.po, po/it.po, po/nb.po, po/nl.po, po/pl.po, po/pt_BR.po, po/pt.po,
po/ru.po, po/sk.po, po/sl.po, po/sr.po, po/sv.po, po/tl.po, po/zh_CN.po
- thanks to all contributors: https://translations.launchpad.net/ufw
- moved translations into locales/po and locales/mo. setup.py installs
files in locales/mo
- translations are now installed into ${prefix}/share/ufw/messages
-- Jamie Strandboge <jamie@ubuntu.com> Tue, 25 Aug 2009 09:12:10 -0500
ufw (0.28) RELEASE; urgency=low
* translation fixes
* add interface rules
* update Makefile to fail if byte-compiling failed
* install rules files 0640 (LP: #393187)
* adjust help command for proper translation and bash completion support
* add limit command to help (LP: #358964)
* add shell-completion/bash. Based on work by Didier Roche
* tests/*: updated with 'nostats' option so redundant tests are counted
in test results. Update many root tests to use 'nostats'
* look for location of iptables and set IPTABLES_DIR in common.py. Adjust
calls to ip[6]tables* to use IPTABLES_DIR
* fix harmless but annoying bug where multi-rule application rules ended
up with ::/0 in the tuple line in user.rules (IPV4) when not specifying a
destination or source address and IPV6 is enabled
* make insert rule logic more robust
* update setup.py to install user rules and init script helpers into
/lib, rather than /var/lib and /usr/share/ufw. Update tests,
backend_iptables.py, ufw-init and documentation accordingly. (LP: #400208)
-- Jamie Strandboge <jamie@ubuntu.com> Wed, 15 Jul 2009 09:30:25 -0500
ufw (0.27.1) RELEASE; urgency=low
* update README for instructions on integrating ufw into the boot process
* adjust strings to better conform with translation guidelines (LP: #353424)
* adjust translation location to work with rosetta
-- Jamie Strandboge <jamie@ubuntu.com> Mon, 23 Mar 2009 12:06:27 -0500
ufw (0.27) RELEASE; urgency=low
* don't do symlink check anymore (LP: #317700)
* don't do hidden file check anymore (LP: #319226). Hidden application
profiles are already skipped, so this check only bumps into revision
control systems
* add 'status numbered' command
* more comments in conf/sysctl.conf
* add insert rule support (LP: #260745)
* read in rules from /var/lib/ufw/*.rules. This helps keep status inline
with reality and fixes (LP: #262975)
* add loglevel support. This also changed the default rules files
* add per rule logging support
* get rid of redundant RETURN rules
* update LIMIT logging prefix
* update setup.py to use subprocess instead of Popen3
-- Jamie Strandboge <jamie@ubuntu.com> Sat, 17 Jan 2009 07:15:25 -0600
ufw (0.26) RELEASE; urgency=low
* fix formatting when using 'app update all' (LP: #300726)
* add runtime version check for iptables and warn if using IPv6 application
rules with iptables < 1.4
* Makefile: depend on translations when making tarball
* remove more useless newlines
* man page updates
* display interfaces and exact packet counters in 'status raw'
* support REJECT for rules, default policy and default application policy
(LP: #197322)
* only flush and delete ufw chains
* add a 'flush-all' command to ufw-init
* add MANAGE_BUILTINS option to /etc/default/ufw, and when set to 'yes'
flush the built-in chains too
-- Jamie Strandboge <jamie@ubuntu.com> Fri, 16 Jan 2009 07:01:38 -0600
ufw (0.25) RELEASE; urgency=low
* new ChangeLog files for upstream tarballs. See ChangeLog.pre-0.25 for
previous changes, including Ubuntu-specific changes
* setup.py: don't install initscript anymore
* add example (non-LSB) initscript to doc/initscript.example
* split out initscript into ufw-init-functions, ufw-init (for use by
ufw itself) and doc/initscript.example (for use by distributions). This
makes ufw more robust and portable
* don't stop the firewall via the initscripts if ufw is not enabled
(LP: #311066)
* rename skel-ui to skel-ui.example
* README:
- add Distributions section
- update for initscript changes
- update What's in a Name
-- Jamie Strandboge <jamie@ubuntu.com> Mon, 22 Dec 2008 08:53:14 -0600
|
