If the packet to be rejected is a TCP packet, it will send back a tcp-reset
message, while for any other protocol it will send icmp-port-unreachable.
This is now the default behavior, without specifing a 'with' parameter.
Also, the multicast service has been changed to additionally match
protocol No 2.
specified in the command line together with a command.
Now, when a filename is specified only three commands are valid:
debug, try, start
Fixed error handling to detect errors in a few functions that were
ignored.
Updated documentation to reflect the above changes.
Updated interactive mode help and added directive 'in' as a shortcut to
interface eth0 internet
uncoditionally from source port 53 when there was a:
client dns accept
This means that DNS is back to statefull mode.
Also, removed from ICMP the RELATED state, since it will be matched
at the end of the end of the interface or firewall.
Added interactive commands 'help', 'show' and 'quit'.
Now the interactive mode automatically generates a configuration file
from all the successfull commands.
Made interactive mode accept variable definitions and loops.
mode.
This resulted in discovering bugs in NFS (fixed) and masquerade (fixed).
Also, enriched the error handler to be more descriptive about what
FireHOL is doing.
Made kernel modules loaded during run time.
Saving of old firewall takes now place before processing the configuration
file, in order to make sure it will not be altered by accident due to
some illegal commands in the configuration file.
FireHOL enables kernel routing automatically when there is at least a
router defined in the configuration.
Now the configuration accepts command line arguments given to FireHOL.
To send a set of arguments to the script, either just append them to
FireHOL command line or (in case it is not clear if the argument is going
to be used by FireHOL or the configuration) precede the configuration
arguments by -- (two dashes).
an error and where not producing any iptables statements.
This was happening because FireHOL relies on nested BASH loops, and bash
does not loop with empty iterations...
(i.e. optimum) quality of iptables firewall.
Now, instead of the linked-list that was created for negative expressions,
we match all positive expressions before the negatives and all the
negatives are together in one chain.
This also fixed possible performance problems due to the large number
of chains and rules that the packets had to traverse in order to get
matched (or not matched).
The fact that now positive rules are matched before negatives has also the
benefit that not all traffic has to be matched against the negatives. Now,
first we select what might be good for a rule, and then we check if this
breaks the negative expressions.
Last, this made the iptables firewall much more clear and human readable.
They treat it as cat >>EOF and thus they do variable substitution on the
text.
Now, FireHOL uses cat >>EOF but the text has been escaped in order to avoid
variable substitution.
The problem has been reported by Florian Thiel <thiel@ksan.de>.
order to handle quoted arguments accurately.
Fixed a bug in postprocessing error handler that did not present the
command line that produced the error.
Fixed iptables generation to support quoted arguments.
Made chain names shorter.
Every single element in the firehol config now gets its own chain.
Previously, the same services (e.g. smtp servers) were implemented using
only one pair of chains.
Enhanced the error handler of logical and syntactical error. Now it says
were and why an error has occured.
a. Fixed service IRC to work on TCP instead of UDP.
b. Added services: UUCP, VNC, WEBCACHE, IMAPS, IKE.
Also fixed the home-router.conf example (it was outdated).
Any allows the administrator to define any stateful rule to match services
that cannot have source and destination ports, such as unusual protocols,
etc.
Syntax: type any name action [optional rule parameters]
type: server/client/route
name: the name for the service (used for the chain)
action: accept, reject, etc.
Added service: multicast
Multicast allows the administrator to match packets with destination
224.0.0.0/8 in both directions (input/output).
that when used it activates the firewall and waits 30 seconds for the
administrator to type 'commit' in order to keep the firewall active.
If the administrator does not write 'commit' or the timeout passes, FireHOL
restores the previous firewall.
Also, if you break (Ctrl-C) FireHOL while activating the new firewall,
FireHOL will restore the old firewall.
protections.
Made the core of FireHOL operate on multiple tables (not assuming the
rules refer to the 'filter' table). This will allow FireHOL to support
all kinds of NAT chains in the future.
(The old 'route' subcommand is an alias for the 'server' subcommand -
within a router).
Protection can be reversed on routers to match outface instead of inface.
Masquerade can be used in interfaces, routers (matches outface - but can
be reverse(ed) to match inface) or as a primary command with all the
interfaces to be masqueraded in an argument.