mirror of
https://github.com/firehol/firehol.git
synced 2024-06-27 09:28:18 +00:00
360 lines
11 KiB
Plaintext
360 lines
11 KiB
Plaintext
firehol (3.1.7) - 2020-12-31
|
|
|
|
* FireHOL
|
|
- Fix dhcpv6 example to say dhcpv6 #438
|
|
- blacklist - add "nolog" option
|
|
- blacklist - reject with tcp-reset for outbound TCP connections
|
|
- firehol.service - Use `firehol start` for ExecReload=
|
|
- Don't drop icmpv6 rules with FIREHOL_RULESET_MODE optimal #372
|
|
|
|
* FireQos
|
|
- workaround for cases where "-ifb" name gets truncated
|
|
- Fix for low-res timer check on openwrt
|
|
|
|
* Common
|
|
- Replace Travis with Github actions
|
|
- Various typo fixes
|
|
- Print unit test names as we run them
|
|
- Unit test fixes for Ubuntu 20.20 output differences
|
|
|
|
firehol (3.1.6) - 2018-08-13
|
|
|
|
* FireHOL
|
|
|
|
- Boot startup fix #260
|
|
- docker_bridge helper #114
|
|
- Allow newer iptables #264
|
|
- Log blocked/dropped packets in synproxy, mac, connlimit, fragments, ...
|
|
- Fix wait for netfilter ready when using namespaces
|
|
- Fast activation fixes #272
|
|
- Allow matching DSCP CS0; fixes #288
|
|
- Moved service definitions out of firehol / fireqos into separate files
|
|
- Allow DROP_INVALID with any action (e.g. REJECT)
|
|
- Add option FIREHOL_ACCEPT_OUTPUT_UNMATCHED_TCP_RST
|
|
|
|
* FireQOS
|
|
|
|
- Fix status to works with newer iproute; fixes #317
|
|
- Update sample service definition to start after network #315
|
|
|
|
* Link-Balancer
|
|
|
|
- linkdown: routes cannot be added or deleted whilst marked invalid #211
|
|
|
|
* Update-Ipsets
|
|
|
|
- Various fixes, including #266 #265
|
|
- List additions, updates and removals
|
|
- Minor enhancements
|
|
|
|
* Common
|
|
|
|
- Fix parallel builds #255
|
|
- Harden unit tests against tool output changes
|
|
|
|
firehol (3.1.5) - 2017-09-17
|
|
|
|
* FireHOL
|
|
|
|
- Fix some links in documentation
|
|
|
|
* FireQOS
|
|
|
|
- Insert a rawmark mask if none specified
|
|
|
|
* Update-Ipsets
|
|
|
|
- Support serving ipset files from local web server
|
|
- Lower pressure on github
|
|
|
|
firehol (3.1.4) - 2017-08-20
|
|
|
|
* FireHOL
|
|
|
|
- Google hangouts port range fix #235
|
|
- Fix hashlimit option names #223
|
|
- Documentation improvements, marks #184 and cthelper #94
|
|
- Allow negating interface in blacklist #143
|
|
|
|
* FireQOS
|
|
|
|
- DSCP match fixes #248
|
|
- TCP match fix #249
|
|
- Improve docs on using act_connmark to match ingress marked traffic #231
|
|
|
|
* Update-Ipsets
|
|
|
|
- Added various lists, removed discontinued ones
|
|
- Include URL in user agent string in #217
|
|
- Relax umask to allow stats collection by netdata #221
|
|
|
|
|
|
firehol (3.1.3) - 2017-02-17
|
|
|
|
* FireHOL
|
|
|
|
- Be more strict when detecting address ranges
|
|
|
|
Fixes #199 where hostnames such as x-2.example.com are incorrectly
|
|
identified as ranges.
|
|
|
|
* Common
|
|
|
|
- Create relative links to binaries, which prevents errors when
|
|
installing with DESTDIR other than /
|
|
|
|
Fix for #178 and #201 proposed by @kneeke
|
|
|
|
firehol (3.1.2) - 2017-02-05
|
|
|
|
* FireHOL
|
|
- Include user policies in chains before handling orphans. Fixes NFS
|
|
client where FIREHOL_DROP_ORPHAN_TCP_* options are in force.
|
|
|
|
- Do not allow server/client statements without any effect on the
|
|
firewall; #193
|
|
|
|
- Saved firewall contents made reproducible by always zeroing counters
|
|
and removing the dates from comments
|
|
|
|
* FireQOS
|
|
|
|
- Example had an ambiguous shebang which has been removed
|
|
|
|
* Common
|
|
|
|
- Running "make check" now exits non-zero if a test failed or none ran
|
|
|
|
- Various copyright updates
|
|
|
|
- Fixed pull requests from external repositories; these would previously
|
|
fail to build on Travis
|
|
|
|
firehol (3.1.1) - 2017-01-10
|
|
|
|
* FireHOL
|
|
- Accept correctly spelled keyword stateful as well as statefull
|
|
to match documentation
|
|
|
|
* VNetBuild
|
|
- drop ksh support (bash is preferred and required by other programs)
|
|
|
|
* Common
|
|
- drop ksh detection from configure script
|
|
|
|
* Update-Ipsets
|
|
- added urandom.us.to list
|
|
- added dataplane.org SIP Invitation and SIP Registration feeds
|
|
|
|
firehol (3.1.0) - 2016-11-28
|
|
|
|
* Common
|
|
- Rework installation to make full use of autoconf results in all
|
|
programs
|
|
- Enabled unit tests on "make check", provided the user has
|
|
unprivileged user namespaces enabled.
|
|
|
|
* FireHOL
|
|
- Option to disable wizard (reduces required tools slightly) and
|
|
other fixes for small systems e.g. OpenWRT
|
|
- Emit help in syslog on failure if we are running with no terminal
|
|
since otherwise when running via systemd a user cannot see full error.
|
|
- Deprecated service ipv6error, not needed since 3.0.0. Moved ICMPv6
|
|
RELATED matching earlier to stop user accidentally preventing them.
|
|
|
|
* VNetBuild
|
|
- improve graphviz output
|
|
|
|
firehol (3.0.2) - 2016-11-22
|
|
|
|
* FireHOL
|
|
- Fix transparent_proxy IPV6 output #164
|
|
- sysctl commands for synproxy, did not specify read or write operation
|
|
- added manual page for cthelper
|
|
- added connlimit to blacklist and iptrap
|
|
- added stateful option to blacklist
|
|
- FIREHOL_DROP_ORPHAN_TCP_ACK_FIN fixed to match only ACK+FIN
|
|
- FIREHOL_DROP_ORPHAN_TCP_ACK_RST added
|
|
- FIREHOL_DROP_ORPHAN_TCP_ACK added
|
|
- FIREHOL_DROP_ORPHAN_TCP_RST added
|
|
- FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 (orphan destination unreachable)
|
|
- added the word BLOCKED to the log messages of INVALID packets dropped
|
|
|
|
* FireQOS
|
|
- experimental ematch support #125
|
|
- new functions #113
|
|
|
|
* VNetBuild
|
|
- fix for not detecting running vhosts
|
|
- added command comments on status output
|
|
|
|
* Link-Balancer
|
|
- Detect if ping -6 should be used #126
|
|
|
|
* Update-IPsets
|
|
- Various feed additions and fixes
|
|
|
|
* Common
|
|
- Fix commit hook regex for newer perl
|
|
- Documentation fixes
|
|
|
|
firehol (3.0.1) - 2016-01-10
|
|
|
|
* FireHOL
|
|
- Add ipv6mld to simplify enabling Multicast Listener Discovery
|
|
protocol, required on networks which do multicast snooping.
|
|
- Update the example to make it more likely to work copy-pasted,
|
|
include MLD
|
|
|
|
* VNetBuild
|
|
- Add pre_up to run commands immediately before an interface is started
|
|
|
|
* Common
|
|
- Packaging fixes
|
|
- Command detection fix for :
|
|
|
|
firehol (3.0.0) - 2015-12-20
|
|
|
|
* FireQOS
|
|
- Bidirectional fixes
|
|
- accept DSCP parameters case insensitive
|
|
- allow matching within GRE packets
|
|
- use configured firehol config directory
|
|
|
|
* Update-Ipsets
|
|
- added jigsaw lists
|
|
|
|
firehol (3.0.0-rc.4) - 2015-11-28
|
|
|
|
* Rework packaging
|
|
- Simplify version number handling
|
|
- Common functions moved to a file in lib
|
|
- Allow disabling IPv4/IPv6 at configure time
|
|
- Allow disabling any unwanted tools
|
|
- Allow disabling manpages and/or docs
|
|
- Honour configure script setting for AUTOSAVE and others
|
|
- All commands detected via configure, used via variables
|
|
Incuding new 'iprange' tool https://github.com/firehol/iprange/releases
|
|
|
|
* FireHOL
|
|
- Fixes to DSCP class
|
|
- added protection *connlimit* and *connrate*; removed default mask
|
|
from parameter connlimit
|
|
- added rule option *connlog* to only log the first packet of connections
|
|
added *hashlimit* with all its options
|
|
- most actions now accept the keywork *with* which also supports
|
|
*with connlimit* and *with hashlimit*
|
|
- use iprange --diff mode for comparing ipset versions
|
|
|
|
* FireQOS
|
|
- fail if DSCP and TOS match have been specified at the same time
|
|
- various fixes
|
|
|
|
* VNetBuild
|
|
- Eliminate dependency on brctl
|
|
|
|
* Update-Ipsets
|
|
- Promoted from contrib
|
|
- Various improvements
|
|
|
|
firehol (3.0.0-rc.3) - 2015-10-10
|
|
|
|
* Common
|
|
- ipset fixes
|
|
- require pandoc 1.12.2.1 and use its features
|
|
- iprove contents page in documentation
|
|
|
|
* FireHOL updates
|
|
- made STOP mode exit successfully
|
|
- add support for restore when specifying a filename on the command line
|
|
- allow multiple "except" rules in statements that accept the keyword
|
|
- disabled spinner in explain mode
|
|
- add support for comma as an ipset IP separator
|
|
- tproxy now uses markdef() to allocate a mark
|
|
- save marks.conf only after successful firewall activation
|
|
- drop requirement for awk (other programs still use it)
|
|
- add log() and loglimit() helpers to allow logging from ipsets globally
|
|
- prevented backup of all the ipsets in memory - it takes too long
|
|
when the system has many ipsets installed
|
|
- rewrote the ipsets functionality so that:s
|
|
- it optimizes netsets with iprange if present
|
|
- it adapts the maxelem parameter for the updated ipset so that
|
|
updating ipsets with big incremental updates does not fail
|
|
- maintains compatibility with older ipset versions
|
|
(side-effect: calling an ipset update without restarting the
|
|
firewall now only support ipsets that are used in firehol.conf)
|
|
- if iprange is present, processing of ipsets is a lot faster
|
|
|
|
* FireQOS updates
|
|
- add ability to stop QoS on a specific device
|
|
- fix for ERROR columns on some tc versions
|
|
- max/ceil % is now relative to parent's ceiling rate
|
|
(it was by mistake to parent's base rate)
|
|
- warn if a class takes priority outside the valid ranges of HTB (0-7)
|
|
- switched default color from blue to green
|
|
|
|
* Link-Balancer updates
|
|
- add wrappers for rawmark() and custommark()
|
|
- when a table was already up to date but other depend on it,
|
|
it was failing #78
|
|
- fix issue when specifying loop and timeout #77
|
|
|
|
* Contrib (ipsets scripts)
|
|
- various fixes and lists added
|
|
- support aggregate to optimize netsets
|
|
- support syslog logging
|
|
- add iprange program, various enhancements over original
|
|
|
|
* VNetBuild updates
|
|
- Added
|
|
|
|
firehol (3.0.0-rc.2) - 2015-03-14
|
|
|
|
* Common
|
|
- Added --disable-doc to configure script to stop the installation
|
|
of PDF and HTML versions of documentation
|
|
- Start to bring documentation in line
|
|
- Disable colour on non-terminals
|
|
|
|
* FireHOL updates
|
|
- Added synproxy support
|
|
- Services "all" and "any" are now simple services. Service "all" now
|
|
has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN.
|
|
- Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately
|
|
- Fix empty firewall case
|
|
- Added state NEW to masquerade
|
|
- Fix to ensure the final firewall close code emits as both ipv4 and ipv6
|
|
where appropriate even if only ipv4 or ipv6 was used for the final
|
|
interface/router
|
|
- Added action type "sockets_suspects_trap"
|
|
- iptrap now creates the trap if it is not already created
|
|
- Eliminate a warning for kernels prior to 3.5
|
|
- NAT now supports balancing multiple IPs or ports on all NAT modes
|
|
- NAT now supports keyword "at" to specify the chain to be attached to
|
|
- Optimise multi-port matching rules
|
|
|
|
* FireQOS updates
|
|
- Optimisations
|
|
- Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP
|
|
- Fixed monitor mode
|
|
|
|
* Link-Balancer updates
|
|
- Fix to stop ignoring fallback gateways
|
|
- Use "traceroute -6" not "traceroute6"
|
|
|
|
firehol (3.0.0-rc.1) - 2015-02-15
|
|
|
|
* Performance improvements
|
|
- Both the script and resulting firewalls are faster
|
|
- Choose original complete bi-directional or even faster runtime matching
|
|
|
|
* New firewall features
|
|
- ipset support and management
|
|
- IDS and port knocking with traps
|
|
- multiple mark definitions
|
|
- conntrack helpers
|
|
- experimental tproxy support
|
|
- separate default settings file
|
|
|
|
* Introduction of link-balancer script
|