mirror of
https://github.com/firehol/firehol.git
synced 2024-06-27 09:28:18 +00:00
193 lines
6.7 KiB
Plaintext
193 lines
6.7 KiB
Plaintext
firehol (3.0.2) - 2016-11-22
|
|
|
|
* FireHOL
|
|
- Fix transparent_proxy IPV6 output #164
|
|
- sysctl commands for synproxy, did not specify read or write operation
|
|
- added manual page for cthelper
|
|
- added connlimit to blacklist and iptrap
|
|
- added stateful option to blacklist
|
|
- FIREHOL_DROP_ORPHAN_TCP_ACK_FIN fixed to match only ACK+FIN
|
|
- FIREHOL_DROP_ORPHAN_TCP_ACK_RST added
|
|
- FIREHOL_DROP_ORPHAN_TCP_ACK added
|
|
- FIREHOL_DROP_ORPHAN_TCP_RST added
|
|
- FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 (orphan destination unreachable)
|
|
- added the word BLOCKED to the log messages of INVALID packets dropped
|
|
|
|
* FireQOS
|
|
- experimental ematch support #125
|
|
- new functions #113
|
|
|
|
* VNetBuild
|
|
- fix for not detecting running vhosts
|
|
- added command comments on status output
|
|
|
|
* Link-Balancer
|
|
- Detect if ping -6 should be used #126
|
|
|
|
* Update-IPsets
|
|
- Various feed additions and fixes
|
|
|
|
* Common
|
|
- Fix commit hook regex for newer perl
|
|
- Documentation fixes
|
|
|
|
firehol (3.0.1) - 2016-01-10
|
|
|
|
* FireHOL
|
|
- Add ipv6mld to simplify enabling Multicast Listener Discovery
|
|
protocol, required on networks which do multicast snooping.
|
|
- Update the example to make it more likely to work copy-pasted,
|
|
include MLD
|
|
|
|
* VNetBuild
|
|
- Add pre_up to run commands immediately before an interface is started
|
|
|
|
* Common
|
|
- Packaging fixes
|
|
- Command detection fix for :
|
|
|
|
firehol (3.0.0) - 2015-12-20
|
|
|
|
* FireQOS
|
|
- Bidirectional fixes
|
|
- accept DSCP parameters case insensitive
|
|
- allow matching within GRE packets
|
|
- use configured firehol config directory
|
|
|
|
* Update-Ipsets
|
|
- added jigsaw lists
|
|
|
|
firehol (3.0.0-rc.4) - 2015-11-28
|
|
|
|
* Rework packaging
|
|
- Simplify version number handling
|
|
- Common functions moved to a file in lib
|
|
- Allow disabling IPv4/IPv6 at configure time
|
|
- Allow disabling any unwanted tools
|
|
- Allow disabling manpages and/or docs
|
|
- Honour configure script setting for AUTOSAVE and others
|
|
- All commands detected via configure, used via variables
|
|
Incuding new 'iprange' tool https://github.com/firehol/iprange/releases
|
|
|
|
* FireHOL
|
|
- Fixes to DSCP class
|
|
- added protection *connlimit* and *connrate*; removed default mask
|
|
from parameter connlimit
|
|
- added rule option *connlog* to only log the first packet of connections
|
|
added *hashlimit* with all its options
|
|
- most actions now accept the keywork *with* which also supports
|
|
*with connlimit* and *with hashlimit*
|
|
- use iprange --diff mode for comparing ipset versions
|
|
|
|
* FireQOS
|
|
- fail if DSCP and TOS match have been specified at the same time
|
|
- various fixes
|
|
|
|
* VNetBuild
|
|
- Eliminate dependency on brctl
|
|
|
|
* Update-Ipsets
|
|
- Promoted from contrib
|
|
- Various improvements
|
|
|
|
firehol (3.0.0-rc.3) - 2015-10-10
|
|
|
|
* Common
|
|
- ipset fixes
|
|
- require pandoc 1.12.2.1 and use its features
|
|
- iprove contents page in documentation
|
|
|
|
* FireHOL updates
|
|
- made STOP mode exit successfully
|
|
- add support for restore when specifying a filename on the command line
|
|
- allow multiple "except" rules in statements that accept the keyword
|
|
- disabled spinner in explain mode
|
|
- add support for comma as an ipset IP separator
|
|
- tproxy now uses markdef() to allocate a mark
|
|
- save marks.conf only after successful firewall activation
|
|
- drop requirement for awk (other programs still use it)
|
|
- add log() and loglimit() helpers to allow logging from ipsets globally
|
|
- prevented backup of all the ipsets in memory - it takes too long
|
|
when the system has many ipsets installed
|
|
- rewrote the ipsets functionality so that:s
|
|
- it optimizes netsets with iprange if present
|
|
- it adapts the maxelem parameter for the updated ipset so that
|
|
updating ipsets with big incremental updates does not fail
|
|
- maintains compatibility with older ipset versions
|
|
(side-effect: calling an ipset update without restarting the
|
|
firewall now only support ipsets that are used in firehol.conf)
|
|
- if iprange is present, processing of ipsets is a lot faster
|
|
|
|
* FireQOS updates
|
|
- add ability to stop QoS on a specific device
|
|
- fix for ERROR columns on some tc versions
|
|
- max/ceil % is now relative to parent's ceiling rate
|
|
(it was by mistake to parent's base rate)
|
|
- warn if a class takes priority outside the valid ranges of HTB (0-7)
|
|
- switched default color from blue to green
|
|
|
|
* Link-Balancer updates
|
|
- add wrappers for rawmark() and custommark()
|
|
- when a table was already up to date but other depend on it,
|
|
it was failing #78
|
|
- fix issue when specifying loop and timeout #77
|
|
|
|
* Contrib (ipsets scripts)
|
|
- various fixes and lists added
|
|
- support aggregate to optimize netsets
|
|
- support syslog logging
|
|
- add iprange program, various enhancements over original
|
|
|
|
* VNetBuild updates
|
|
- Added
|
|
|
|
firehol (3.0.0-rc.2) - 2015-03-14
|
|
|
|
* Common
|
|
- Added --disable-doc to configure script to stop the installation
|
|
of PDF and HTML versions of documentation
|
|
- Start to bring documentation in line
|
|
- Disable colour on non-terminals
|
|
|
|
* FireHOL updates
|
|
- Added synproxy support
|
|
- Services "all" and "any" are now simple services. Service "all" now
|
|
has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN.
|
|
- Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately
|
|
- Fix empty firewall case
|
|
- Added state NEW to masquerade
|
|
- Fix to ensure the final firewall close code emits as both ipv4 and ipv6
|
|
where appropriate even if only ipv4 or ipv6 was used for the final
|
|
interface/router
|
|
- Added action type "sockets_suspects_trap"
|
|
- iptrap now creates the trap if it is not already created
|
|
- Eliminate a warning for kernels prior to 3.5
|
|
- NAT now supports balancing multiple IPs or ports on all NAT modes
|
|
- NAT now supports keyword "at" to specify the chain to be attached to
|
|
- Optimise multi-port matching rules
|
|
|
|
* FireQOS updates
|
|
- Optimisations
|
|
- Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP
|
|
- Fixed monitor mode
|
|
|
|
* Link-Balancer updates
|
|
- Fix to stop ignoring fallback gateways
|
|
- Use "traceroute -6" not "traceroute6"
|
|
|
|
firehol (3.0.0-rc.1) - 2015-02-15
|
|
|
|
* Performance improvements
|
|
- Both the script and resulting firewalls are faster
|
|
- Choose original complete bi-directional or even faster runtime matching
|
|
|
|
* New firewall features
|
|
- ipset support and management
|
|
- IDS and port knocking with traps
|
|
- multiple mark definitions
|
|
- conntrack helpers
|
|
- experimental tproxy support
|
|
- separate default settings file
|
|
|
|
* Introduction of link-balancer script
|