firehol (3.0.2) - 2016-11-22 * FireHOL - Fix transparent_proxy IPV6 output #164 - sysctl commands for synproxy, did not specify read or write operation - added manual page for cthelper - added connlimit to blacklist and iptrap - added stateful option to blacklist - FIREHOL_DROP_ORPHAN_TCP_ACK_FIN fixed to match only ACK+FIN - FIREHOL_DROP_ORPHAN_TCP_ACK_RST added - FIREHOL_DROP_ORPHAN_TCP_ACK added - FIREHOL_DROP_ORPHAN_TCP_RST added - FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 (orphan destination unreachable) - added the word BLOCKED to the log messages of INVALID packets dropped * FireQOS - experimental ematch support #125 - new functions #113 * VNetBuild - fix for not detecting running vhosts - added command comments on status output * Link-Balancer - Detect if ping -6 should be used #126 * Update-IPsets - Various feed additions and fixes * Common - Fix commit hook regex for newer perl - Documentation fixes firehol (3.0.1) - 2016-01-10 * FireHOL - Add ipv6mld to simplify enabling Multicast Listener Discovery protocol, required on networks which do multicast snooping. - Update the example to make it more likely to work copy-pasted, include MLD * VNetBuild - Add pre_up to run commands immediately before an interface is started * Common - Packaging fixes - Command detection fix for : firehol (3.0.0) - 2015-12-20 * FireQOS - Bidirectional fixes - accept DSCP parameters case insensitive - allow matching within GRE packets - use configured firehol config directory * Update-Ipsets - added jigsaw lists firehol (3.0.0-rc.4) - 2015-11-28 * Rework packaging - Simplify version number handling - Common functions moved to a file in lib - Allow disabling IPv4/IPv6 at configure time - Allow disabling any unwanted tools - Allow disabling manpages and/or docs - Honour configure script setting for AUTOSAVE and others - All commands detected via configure, used via variables Incuding new 'iprange' tool https://github.com/firehol/iprange/releases * FireHOL - Fixes to DSCP class - added protection *connlimit* and *connrate*; removed default mask from parameter connlimit - added rule option *connlog* to only log the first packet of connections added *hashlimit* with all its options - most actions now accept the keywork *with* which also supports *with connlimit* and *with hashlimit* - use iprange --diff mode for comparing ipset versions * FireQOS - fail if DSCP and TOS match have been specified at the same time - various fixes * VNetBuild - Eliminate dependency on brctl * Update-Ipsets - Promoted from contrib - Various improvements firehol (3.0.0-rc.3) - 2015-10-10 * Common - ipset fixes - require pandoc 1.12.2.1 and use its features - iprove contents page in documentation * FireHOL updates - made STOP mode exit successfully - add support for restore when specifying a filename on the command line - allow multiple "except" rules in statements that accept the keyword - disabled spinner in explain mode - add support for comma as an ipset IP separator - tproxy now uses markdef() to allocate a mark - save marks.conf only after successful firewall activation - drop requirement for awk (other programs still use it) - add log() and loglimit() helpers to allow logging from ipsets globally - prevented backup of all the ipsets in memory - it takes too long when the system has many ipsets installed - rewrote the ipsets functionality so that:s - it optimizes netsets with iprange if present - it adapts the maxelem parameter for the updated ipset so that updating ipsets with big incremental updates does not fail - maintains compatibility with older ipset versions (side-effect: calling an ipset update without restarting the firewall now only support ipsets that are used in firehol.conf) - if iprange is present, processing of ipsets is a lot faster * FireQOS updates - add ability to stop QoS on a specific device - fix for ERROR columns on some tc versions - max/ceil % is now relative to parent's ceiling rate (it was by mistake to parent's base rate) - warn if a class takes priority outside the valid ranges of HTB (0-7) - switched default color from blue to green * Link-Balancer updates - add wrappers for rawmark() and custommark() - when a table was already up to date but other depend on it, it was failing #78 - fix issue when specifying loop and timeout #77 * Contrib (ipsets scripts) - various fixes and lists added - support aggregate to optimize netsets - support syslog logging - add iprange program, various enhancements over original * VNetBuild updates - Added firehol (3.0.0-rc.2) - 2015-03-14 * Common - Added --disable-doc to configure script to stop the installation of PDF and HTML versions of documentation - Start to bring documentation in line - Disable colour on non-terminals * FireHOL updates - Added synproxy support - Services "all" and "any" are now simple services. Service "all" now has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN. - Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately - Fix empty firewall case - Added state NEW to masquerade - Fix to ensure the final firewall close code emits as both ipv4 and ipv6 where appropriate even if only ipv4 or ipv6 was used for the final interface/router - Added action type "sockets_suspects_trap" - iptrap now creates the trap if it is not already created - Eliminate a warning for kernels prior to 3.5 - NAT now supports balancing multiple IPs or ports on all NAT modes - NAT now supports keyword "at" to specify the chain to be attached to - Optimise multi-port matching rules * FireQOS updates - Optimisations - Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP - Fixed monitor mode * Link-Balancer updates - Fix to stop ignoring fallback gateways - Use "traceroute -6" not "traceroute6" firehol (3.0.0-rc.1) - 2015-02-15 * Performance improvements - Both the script and resulting firewalls are faster - Choose original complete bi-directional or even faster runtime matching * New firewall features - ipset support and management - IDS and port knocking with traps - multiple mark definitions - conntrack helpers - experimental tproxy support - separate default settings file * Introduction of link-balancer script