firehol (3.1.7) - 2020-12-31 * FireHOL - Fix dhcpv6 example to say dhcpv6 #438 - blacklist - add "nolog" option - blacklist - reject with tcp-reset for outbound TCP connections - firehol.service - Use `firehol start` for ExecReload= - Don't drop icmpv6 rules with FIREHOL_RULESET_MODE optimal #372 * FireQos - workaround for cases where "-ifb" name gets truncated - Fix for low-res timer check on openwrt * Common - Replace Travis with Github actions - Various typo fixes - Print unit test names as we run them - Unit test fixes for Ubuntu 20.20 output differences firehol (3.1.6) - 2018-08-13 * FireHOL - Boot startup fix #260 - docker_bridge helper #114 - Allow newer iptables #264 - Log blocked/dropped packets in synproxy, mac, connlimit, fragments, ... - Fix wait for netfilter ready when using namespaces - Fast activation fixes #272 - Allow matching DSCP CS0; fixes #288 - Moved service definitions out of firehol / fireqos into separate files - Allow DROP_INVALID with any action (e.g. REJECT) - Add option FIREHOL_ACCEPT_OUTPUT_UNMATCHED_TCP_RST * FireQOS - Fix status to works with newer iproute; fixes #317 - Update sample service definition to start after network #315 * Link-Balancer - linkdown: routes cannot be added or deleted whilst marked invalid #211 * Update-Ipsets - Various fixes, including #266 #265 - List additions, updates and removals - Minor enhancements * Common - Fix parallel builds #255 - Harden unit tests against tool output changes firehol (3.1.5) - 2017-09-17 * FireHOL - Fix some links in documentation * FireQOS - Insert a rawmark mask if none specified * Update-Ipsets - Support serving ipset files from local web server - Lower pressure on github firehol (3.1.4) - 2017-08-20 * FireHOL - Google hangouts port range fix #235 - Fix hashlimit option names #223 - Documentation improvements, marks #184 and cthelper #94 - Allow negating interface in blacklist #143 * FireQOS - DSCP match fixes #248 - TCP match fix #249 - Improve docs on using act_connmark to match ingress marked traffic #231 * Update-Ipsets - Added various lists, removed discontinued ones - Include URL in user agent string in #217 - Relax umask to allow stats collection by netdata #221 firehol (3.1.3) - 2017-02-17 * FireHOL - Be more strict when detecting address ranges Fixes #199 where hostnames such as x-2.example.com are incorrectly identified as ranges. * Common - Create relative links to binaries, which prevents errors when installing with DESTDIR other than / Fix for #178 and #201 proposed by @kneeke firehol (3.1.2) - 2017-02-05 * FireHOL - Include user policies in chains before handling orphans. Fixes NFS client where FIREHOL_DROP_ORPHAN_TCP_* options are in force. - Do not allow server/client statements without any effect on the firewall; #193 - Saved firewall contents made reproducible by always zeroing counters and removing the dates from comments * FireQOS - Example had an ambiguous shebang which has been removed * Common - Running "make check" now exits non-zero if a test failed or none ran - Various copyright updates - Fixed pull requests from external repositories; these would previously fail to build on Travis firehol (3.1.1) - 2017-01-10 * FireHOL - Accept correctly spelled keyword stateful as well as statefull to match documentation * VNetBuild - drop ksh support (bash is preferred and required by other programs) * Common - drop ksh detection from configure script * Update-Ipsets - added urandom.us.to list - added dataplane.org SIP Invitation and SIP Registration feeds firehol (3.1.0) - 2016-11-28 * Common - Rework installation to make full use of autoconf results in all programs - Enabled unit tests on "make check", provided the user has unprivileged user namespaces enabled. * FireHOL - Option to disable wizard (reduces required tools slightly) and other fixes for small systems e.g. OpenWRT - Emit help in syslog on failure if we are running with no terminal since otherwise when running via systemd a user cannot see full error. - Deprecated service ipv6error, not needed since 3.0.0. Moved ICMPv6 RELATED matching earlier to stop user accidentally preventing them. * VNetBuild - improve graphviz output firehol (3.0.2) - 2016-11-22 * FireHOL - Fix transparent_proxy IPV6 output #164 - sysctl commands for synproxy, did not specify read or write operation - added manual page for cthelper - added connlimit to blacklist and iptrap - added stateful option to blacklist - FIREHOL_DROP_ORPHAN_TCP_ACK_FIN fixed to match only ACK+FIN - FIREHOL_DROP_ORPHAN_TCP_ACK_RST added - FIREHOL_DROP_ORPHAN_TCP_ACK added - FIREHOL_DROP_ORPHAN_TCP_RST added - FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 (orphan destination unreachable) - added the word BLOCKED to the log messages of INVALID packets dropped * FireQOS - experimental ematch support #125 - new functions #113 * VNetBuild - fix for not detecting running vhosts - added command comments on status output * Link-Balancer - Detect if ping -6 should be used #126 * Update-IPsets - Various feed additions and fixes * Common - Fix commit hook regex for newer perl - Documentation fixes firehol (3.0.1) - 2016-01-10 * FireHOL - Add ipv6mld to simplify enabling Multicast Listener Discovery protocol, required on networks which do multicast snooping. - Update the example to make it more likely to work copy-pasted, include MLD * VNetBuild - Add pre_up to run commands immediately before an interface is started * Common - Packaging fixes - Command detection fix for : firehol (3.0.0) - 2015-12-20 * FireQOS - Bidirectional fixes - accept DSCP parameters case insensitive - allow matching within GRE packets - use configured firehol config directory * Update-Ipsets - added jigsaw lists firehol (3.0.0-rc.4) - 2015-11-28 * Rework packaging - Simplify version number handling - Common functions moved to a file in lib - Allow disabling IPv4/IPv6 at configure time - Allow disabling any unwanted tools - Allow disabling manpages and/or docs - Honour configure script setting for AUTOSAVE and others - All commands detected via configure, used via variables Incuding new 'iprange' tool https://github.com/firehol/iprange/releases * FireHOL - Fixes to DSCP class - added protection *connlimit* and *connrate*; removed default mask from parameter connlimit - added rule option *connlog* to only log the first packet of connections added *hashlimit* with all its options - most actions now accept the keywork *with* which also supports *with connlimit* and *with hashlimit* - use iprange --diff mode for comparing ipset versions * FireQOS - fail if DSCP and TOS match have been specified at the same time - various fixes * VNetBuild - Eliminate dependency on brctl * Update-Ipsets - Promoted from contrib - Various improvements firehol (3.0.0-rc.3) - 2015-10-10 * Common - ipset fixes - require pandoc 1.12.2.1 and use its features - iprove contents page in documentation * FireHOL updates - made STOP mode exit successfully - add support for restore when specifying a filename on the command line - allow multiple "except" rules in statements that accept the keyword - disabled spinner in explain mode - add support for comma as an ipset IP separator - tproxy now uses markdef() to allocate a mark - save marks.conf only after successful firewall activation - drop requirement for awk (other programs still use it) - add log() and loglimit() helpers to allow logging from ipsets globally - prevented backup of all the ipsets in memory - it takes too long when the system has many ipsets installed - rewrote the ipsets functionality so that:s - it optimizes netsets with iprange if present - it adapts the maxelem parameter for the updated ipset so that updating ipsets with big incremental updates does not fail - maintains compatibility with older ipset versions (side-effect: calling an ipset update without restarting the firewall now only support ipsets that are used in firehol.conf) - if iprange is present, processing of ipsets is a lot faster * FireQOS updates - add ability to stop QoS on a specific device - fix for ERROR columns on some tc versions - max/ceil % is now relative to parent's ceiling rate (it was by mistake to parent's base rate) - warn if a class takes priority outside the valid ranges of HTB (0-7) - switched default color from blue to green * Link-Balancer updates - add wrappers for rawmark() and custommark() - when a table was already up to date but other depend on it, it was failing #78 - fix issue when specifying loop and timeout #77 * Contrib (ipsets scripts) - various fixes and lists added - support aggregate to optimize netsets - support syslog logging - add iprange program, various enhancements over original * VNetBuild updates - Added firehol (3.0.0-rc.2) - 2015-03-14 * Common - Added --disable-doc to configure script to stop the installation of PDF and HTML versions of documentation - Start to bring documentation in line - Disable colour on non-terminals * FireHOL updates - Added synproxy support - Services "all" and "any" are now simple services. Service "all" now has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN. - Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately - Fix empty firewall case - Added state NEW to masquerade - Fix to ensure the final firewall close code emits as both ipv4 and ipv6 where appropriate even if only ipv4 or ipv6 was used for the final interface/router - Added action type "sockets_suspects_trap" - iptrap now creates the trap if it is not already created - Eliminate a warning for kernels prior to 3.5 - NAT now supports balancing multiple IPs or ports on all NAT modes - NAT now supports keyword "at" to specify the chain to be attached to - Optimise multi-port matching rules * FireQOS updates - Optimisations - Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP - Fixed monitor mode * Link-Balancer updates - Fix to stop ignoring fallback gateways - Use "traceroute -6" not "traceroute6" firehol (3.0.0-rc.1) - 2015-02-15 * Performance improvements - Both the script and resulting firewalls are faster - Choose original complete bi-directional or even faster runtime matching * New firewall features - ipset support and management - IDS and port knocking with traps - multiple mark definitions - conntrack helpers - experimental tproxy support - separate default settings file * Introduction of link-balancer script