What's new in Arno's IPTABLES Firewall Script 2.0.1b
Mar 19, 2012
- This version fixes RESERVED_NET_DROP, which only worked when RESERVED_NET_LOG was enabled (regression), fixes the installation script, and updates/corrects documentation.
New in Arno's IPTABLES Firewall Script 2.0.1 (Dec 23, 2011)
- This version removes DNS_FAST_FAIL and RESOLV_IPS, since they are both obsolete.
- It adds miscellaneous tweaks.
New in Arno's IPTABLES Firewall Script 2.0.0c (Sep 16, 2011)
- This version calls insserv during configure, when available.
- This is required, for example, on Debian/Ubuntu systems which use dependency-based booting.
- It fixes MULTICAST jumping, which should be done at the end of EXT_INPUT_CHAIN, not at the beginning, or users won't be able create "normal" rules for it.
- It updates several plugins.
New in Arno's IPTABLES Firewall Script 2.0.0 (Nov 19, 2010)
- Several IPv6 fixes and tweaks.
New in Arno's IPTABLES Firewall Script 1.9.9 RC1 (Oct 29, 2010)
- Support was added for an optional plugin_restart() function in plugins using a new plugin template.
- The IDENT environment variable is used for plugins.
- The IPV6_AUTO_CONFIGURATION variable was added to control autoconf when IP_FORWARDING = 0.
- The IPV6_OVER_IPV4_SERVER variable was added for the ipv6-over-ipv4 plugin, restricting 6to4 source packets.
- Miscellaneous tweaks and fixes were done.
New in Arno's IPTABLES Firewall Script 1.9.9 Beta 1 (Oct 12, 2010)
New in Arno's IPTABLES Firewall Script 1.9.2l (Aug 31, 2010)
- The sysctl_key() function was implemented and is used for IPv6 detection, which fixes a serious security issue.
- From now on, all variables are explicitly set for sysctl wildcard variables (like "net.ipv4.conf.*.rp_filter") since newer kernels handle those differently now.
- The "Blocked Host" feature adds the BLOCK_HOSTS_BIDIRECTIONAL option to specify whether hosts are blocked both inbound and outbound (which is the default) or inbound only.
- An option was added to enable or disable antispoofing for internal and DMZ nets.
- An option was added to enable or disable IGMP logging.
- Miscellaneous tweaks and fixes were made.
New in Arno's IPTABLES Firewall Script 1.9.2k (Apr 14, 2010)
New in Arno's IPTABLES Firewall Script 1.9.2g (Nov 24, 2009)
New in Arno's IPTABLES Firewall Script 1.9.2d (Aug 29, 2009)
- An update of the 1.9 series version of my firewall. Fixing and cleaning up a lot of stuff. Note that in order to use some plugins you need to run this version of my firewall. It also contains a minor security fix (vs. 1.9.0 stable) so anyone is recommended to upgrade asap.
New in Arno's IPTABLES Firewall Script 1.9.2a (Jun 9, 2009)
- Dropped requirement of the ip binary in the main script
New in Arno's IPTABLES Firewall Script 1.9.1 RC1 (May 20, 2009)
- Fixed DMZ_LAN_HOST_OPEN_xxx source hosts weren't parsed properly (Thanks to Lonnie Abelbeck)
- Fixed LOG_HOST_OUTPUT_xxx format error (Thanks to Lonnie Abelbeck)
- Added local DNAT redirect support (Thanks to Philip Prindeville)
- Added experimental DMZ-NAT plugin (Thanks to Philip Prindeville)
- Implemented NAT_PREROUTING_CHAIN, POST_NAT_PREROUTING_CHAIN, NAT_POSTROUTING_CHAIN & POST_NAT_POSTROUTING_CHAIN chains
- Replaced DMZ_IF_TRUST and INT_IF_TRUST with the new IF_TRUSTS variable. You can use | to create seperate groups of interfaces.
- We now detect whether iptables (/ip4tables/ip6tables) failed (somewhere) during startup and report this at the end
- Fixed NAT_FORWARD_IP not working
- Several fixes/changes in the rule parsers
- Moved from using the $IPTABLES/$IP4TABLES/$IP6TABLES variables to functions (Thanks Philip Prindeville). This should ie. allow proper tracing.
- Iptables errors will now be shown in red, to better point them out
- Implemented some additional chains (for ie. plugin use)
- Reverted flushing user chains before stopping plugins, it causes disconnections.
- Several cleanups/optimizations (thanks to Philip Prindeville, Lonnie Abelbeck & Roy Lanek)
- Major cleanup of functions etc.
New in Arno's IPTABLES Firewall Script 1.9.0b (Mar 3, 2009)
- Some security issues concerning firewall restart were fixed.
- An invalid EOL causing blocked hosts to fail was fixed.
- Invalid sed syntax that caused blocked hosts to fail was corrected.
- The MAC filter was moved from the main script into a separate plugin.
- An issue where the OUTPUT policy didn't get applied was fixed.
- LOG_xxx_INPUT was changed to LOG_INPUT_xxx in the config file.
- Several plugins were updated.
New in Arno's IPTABLES Firewall Script 1.9.0 (Jan 7, 2009)
- LAN_INET_HOST_DENY_TCP/UDP was fixed.
- The timeout/retry values are set to the default for dig functions in the env-file.
- sysctl was fixed for busybox setups which don't support -q.
- A sysctl wrapper was implemented for this.
- A new traffic shaper was added.
- net.netfilter.nf_conntrack_max was added as an additional sysctl key.
- AIF:-prefix was added to all LOG messages.
- Fixes and tweaks were done in the install script.
- Verbose mode was disabled by default in the init script.
- Miscellaneous plugin updates were made.
New in Arno's IPTABLES Firewall Script 1.9.0 RC4 (Nov 25, 2008)
- The hfsc plugin and install script were fixed on Ubuntu./usr/share stuff was moved to /usr/local/share (where it belongs).
- The DynDNS plugin was updated to 0.23BETA.
- It now automatically creates/removes the cron job.
- The Traffic Accounting plugin was updated to 0.2BETA.
- An incorrect configuration file used for the transparent proxy plugin was fixed.
- An issue where the installer didn't setup a symlink in /etc/rc* to start the firewall at boot was fixed.
- An uninstall script was added.
- There were also miscellaneous tweaks and fixes.
- Updating your config file is strongly recommended.
New in Arno's IPTABLES Firewall Script 1.8.8o (Sep 3, 2008)
- LOCAL_CONF_SETTING has been removed.
- Support for new-generation plugins has been fixed.
- There are miscellaneous fixes and tweaks.
New in Arno's IPTABLES Firewall Script 1.9.0 RC2 (Sep 3, 2008)
- A new DynDNS plugin was added to open ports for DynDNS (Internet) hosts.
- New default policy handling was added for LAN->INET, DMZ->INET, INET->DMZ, etc.
- The use of source destination IPs with NAT forwards was fixed.
- A basic install script (install.sh) was implemented.
- Several functions and variables were moved into a new separate "environment" file.
- Minor changes and updates were done for plugins. DSL-PPP-modem and transparent-proxy support were moved into a seperate plugin.
- The default firewall log file was changed to /var/log/firewall.log.