Version 1.8.1BETA-3 (August 15, 2003) ------------------------------------- + Finally added support for Freeswan Virtual IP's. You should use the new variable $FREESWAN_NET to accomplish this. Patch was kindly donated by Rifath Nawaz. * Again fixed broken portforwarding, changed variable implementation for multiport(!) and updated the help in the configuration-file (please check it and update your old configuration files accordingly!). + Added support for static-NAT (SNAT) through $NAT_STATIC_IP. + Added new variables HOST_TCP_LOG, HOST_UDP_LOG & HOST_IP_LOG. To log connection attempts to certain ports from certain hosts. - Removed unused SYN-flood log code Version 1.8.1BETA-2 (August 7, 2003) ------------------------------------ ! Fixed broken portforwarding ! Fixed $BLOCK_HOSTS variable Version 1.8.1BETA-1 (August 5, 2003) ------------------------------------ ! Fixed unmatched BLOCK_FORWARD_xxx / BLOCK_OUTPUT_xxx variables. Names are now changed in the script to reflect the ones actually used in the config file (no config file update necessary). ! Fixed block rules & block rule consistency * Changed the modem net spoof drop from /8 back to /24. This fixes problems for people which use 192-subnets for both modem and internal LAN for example. + Added variables WATCH_TCP_LOG, WATCH_UDP_LOG, WATCH_IP_LOG to log different types of packets going out. Especially useful for debug purposes. - Variable OPEN_CONNECT_LOG has been been removed (obsolete) as it has been superseded by the WATCH_xxx_LOG-variables + Added new variable DENY_IP_OUTPUT, to block specific outgoing IP protocols. Mainly implemented for consistency. + Added variable PROXY_PORT to enable support for a transparent proxy. + Enhanced port/proto forward routines (+cleanup) * Cleanup of the configuration file * Moved the portforward section away from the internal network rules. Version 1.8.0 (stable) (April 22, 2003) --------------------------------------- * Changed the internal net masquarade rules to make it better compatible with Freeswan VPN virtual IP's * Removed (invisible) black background color in fwfilter to fix terminal transparancy under X. * Changed the rp_filter option to be set/unset for ALL interfaces (including the external interface) (Freeswan compatibility). * Renamed variable $OTHER_IF to $TRUSTED_IF (more clear) * Added new variable $FIREWALL_LOG. Now the previously hard-coded /var/log/firewall can be user-defined + Improved AWK binary lookup for fwfilter (should work with Debian now by default). You can also manually configure the awk binary location inside fwfilter * Minor cosmetic changes for fwfilter ! Fixed support for PPPoA connections. Its now also no longer required to enter an IP for the modem network interface (MODEM_IF_IP) * I removed the QA's from the README file as my new website is now up, where its located now. Version 1.7.3RC-2 (March 7, 2003) --------------------------------- ! Finally fixed a bug causing the firewall not to work (100%) with German T-DSL and possibly many others with this type of (A)DSL connections. Also changed/hardened some of the MODEM rules. (Check new config file on how to make it work!) + Added new variable $MODEM_INTERNAL_NET. This allows you to only give specific hosts or subnets access to the (A)DSL modem itself (manage settings). By default (in the new configuration file) the MODEM_INTERNAL_NET is equal to the INTERNAL_NET, which allows everyone on the LAN the access to the (A)DSL modem. + Added new variable $NAT_INTERNAL_NET. This allows you to only give specific hosts or subnets access to the internet (via NAT). This parameter is downwards compatible so if no value is specified the 'old' behaviour is assumed. * !!! Changed the $LOCAL_NET variable into $INTERNAL_NET. This is for better consistency. !!! + Added some more sanity checks for the interfaces specified * Changed the "else if" statements in fwfilter to just be "if" this should fix some random/potential problems ! Fixed (finally) an annoying (AWK) bug causing fwfilter to drop the double space if the date only consisted of one number (causing misalignment) + Added new variable "$DROP_PRIVATE_ADDRESSES" to enable/disable the drop of private IP addresses ! Fixed a bug causing rp_filter to always be disabled (thanks to Anibal for providing the patch) * Changed the RESERVED_NET drop/log location and some related other rules. Now "UDP/TCP no-log" also works for packets with a reserved address as source. Also using RESERVED addresses for FULL_ACCESS_HOSTS and hostwise allow is now possible. + Updated the IANA reserved networks list * Fixed/changed FORWARD rule for OTHER interfaces ($OTHER_IF), meaning that OTHER interfaces are now allowed to send packets via the FORWARD chain to the external interface. This optionally(!) allows OTHER interfaces (like ipsec0) to MASQUERADE traffic via the internet interface. This can be useful for DNS queries for example. + Added variables $BLOCK_TCP_FORWARD, $BLOCK_UDP_FORWARD, $BLOCK_TCP_OUTPUT, $BLOCK_TCP_OUTPUT & $OUTPUT_DENY_LOG. These variables can be used to deny (& log) certain services for internal or local client(s). ! Fixed /proc/../ip_conntrack_max module loading for Slackware (thanks to Rok Potocnik for pointing this out) ! Fixed DHCP_BROADCAST-log * Changed text & log rate limiting for hostwise TCP/UDP deny logging * Removed -i $EXT_IF match from the INPUT ESTABLISHED rule (faster) * Minor cosmetic changes Version 1.7.3RC-1 (January 9, 2003) ----------------------------------- + Added new variable $POSSIBLE_SCAN_LOG to enable/disable logging of possible stealth scans + Added new variable $OTHER_IP_LOG to enable/disable logging of "other-IP" protocols (non TCP/UDP/ICMP) + Added new variable $DHCP_BROADCAST_LOG to enable/disable logging of DHCP broadcasts ! Fixed masquerading for the ADSL modem (modem browsing was broken) + Added new variable $LOOSE_FORWARD. When this option is enabled it loosens the forward chain which allows protocols like UPnP to be used. Note that its less secure to use this option, the security of M$ UPnP is also doubtful + Added new variable $DROP_IANA_RESERVED to enable/disable dropping of IANA reserved addresses. * Cosmetic changes Version 1.7.3BETA-2 (December 16, 2002) --------------------------------------- + Added new fwfilter options: "RESOLVE_NAMES" to allow you to disable resolving host names & "USE_ANSI_COLORS" to allow you to disable the use of ANSI colors & "USE_2ROWS" to enable or disable the usage of 2 rows to show info + Added new variables: $UNPRIV_TCP_LOG & $UNPRIV_UDP_LOG to disable logging of connection attempts to unprivileged TCP and/or UDP ports (also for "possible stealth scans") + Added variable $OTHER_IF which should contain all "other" interfaces for which ALL packets should be accepted * Removed seperate ACK scan detection. Now incorporated in "possible stealth scans". * Changed the order of RELATED, CHECK etc. chains to improve security + IPv4 forwarding enabled by default (if available). This in advance of the near future Freeswan support. ! Fixed a bug causing port forwarding not to work correctly with "no lost connections log" enabled (forgot ! --syn) ! Fixed INPUT chain. It now logs ALL dropped packets (not only from $EXT_IF). + Cleaned up CHECK chain (removed -i $EXT_IF) + Added the (patch)code for Freeswan support (check README FAQ's to see how to do it -> it's really simple). This mainly concerns the FORWARD & MASQUERADE code. Many thanks go out to Rifath Nawaz for his help on this issue. * Modified RESERVED NET log rate limiting + Added dynamic IP hacking for DHCP clients * Reduced number of kernel modules probed & added some info ! Fixed a commandline argument bug causing for example "rc.iptables status -t nat" not to work. + Now RELATED state may also accept connections on priviliged ports. * Renamed the FULL_ACCESS_SUBNETS variable to FULL_ACCESS_HOSTS (better name) ! Fixed multiport port forwarding (NAT) + Added variable RP_FILTER. This to enable or disable the rp_filter. It should normally be enabled but when using for example Freeswan (VPN) where you want to route external private IP's into your network, you should disable it. Note that rp-filtering is always performed on the external interface, regardless of this variable. + Added support for the iptables IRC module, use $USE_IRC=1 to enable this. This support is somewhat limited (compared to ipchains) but this is (like ICQ) a limitation of iptables. * Removed the UNPRIV_PORTS variable from the config file, its obsolete now. * Other minor (cosmetic) changes/additions/fixes Version 1.7.3BETA-1 (November 1, 2002) -------------------------------------- * Changed back the TOS port values from names to the actual port number because of problems with certain distributions. (Gentoo) + Updated port names for fwfilter + Added functionality to forward a specific port to a different port number on the localhost. For example forward port 81 on the server to port 80 on the localhost. Simply add :port_number (ex. :80) to the host to do this. * Interface masq / support for multiple local interfaces * Again tweaked the lost connection drop (won't be the last time, I guess) + Added chkconfig header to rc.traffic-shaper + Added tc binary variable to rc.traffic-shaper * Moved INVALID check to the beginning of the chains (much better protection) + Added 2 more sanity checks * Changed the reset counters behaviour to be only performed when "start" is used. Now the counters are no longer reset on "restart" or "stop" + Fixed / changed some major things in fwfilter (looks a lot better now!) + Now local hosts can also be blocked through the blocked-hosts file ! Fixed a cosmetic bug which caused the "root check failed" text to show an error + Enhanced the status command + Renamed MISC_PACKET_LOG to INVALID_PACKET_LOG + Added rules for lost connection log (TCP) in the port-forwarding (NAT) section Version 1.7.2FINAL (stable) (September 26, 2002) ------------------------------------------------ + Cleaned up modem rules and removed MODEM_NET variable which is now constructed from the MODEM_IP (easier configuration) + Added IP resolve for fwfilter (uses dig) * Changed IP resolve for rc.iptables (now uses dig) ! Fixed multi name response for DNS queries. Now it only returns the first name + Added support for DHCP/BOOTP service + Added some (ansi) colors to fwfilter (to make it better readable) + Tweaked the lost connection drop some more Version 1.7.1BETA-3 (August 23, 2002) ------------------------------------- + Added $DYNAMIC_IP variable. Enables support for dynamic IP's assigned through DHCP by your ISP + (Re)added ip_always_defrag proc because of possible iptables-patched 2.2 kernels (legacy support) + Now probable lost connections to local services (listen ports) are also dropped (if LOST_CONNECTION_LOG is disabled) + Now new connections on open ports may only be established through the (valid) --syn scheme + Performed an update check for the reserved nets list (IANA) + Updated fwfilter: now RES & URGP are NOT shown if 0. Now it DOES show TTL now however + Lowered the number of modprobed modules. Now only the ones that are really necessary are modprobed. * Changed MODEM_ETH & MODEM_ETHIP names to MODEM_IF and MODEM_IF_IP (consistency) ! Fixed a bug in (the new) fwfilter causing to show parts of the firewall messages twice + No syn detect/drop now enabled by default (removed the paranoid parameter) ! Fixed IFS reset from IFS='' to unset IFS. This could have caused (under certain circumstances) variable corruption. (A stupid mistake made by me cause I misinterpreted the BASH manual, aaaaaargh) + Now host block (blackhole) is applied before the rest of the firewall is activated * Removed net NEW STATE for no SYN detect (consistency) * Moved CUSTOM_RULES variable to the config file (where it *really* belongs) + Added support for a seperate BLOCKED hosts file. New command 'breread' introduced to quickly reread the block hosts file. The path of the file can be configured in the config file. + Added detection of (nmap) ACK scan * Moved traffic shaping to a seperate shell script (rc.traffic-shaper). Now you can do the following: Start firewall, bring up internet connection and finally traffic shape. This order is the most secure way to do things. * Moved including of custom rules to the beginning (right after the INPUT valid_check chain) * Cleaned up the code and again some (minor) cosmetic changes. + Introduced new seperate CHANGELOG file as the it became too large to be in the script itself. This is what the characters mean: * = changed, + = added, ! = (bug) fixed Version 1.7.1BETA-2 (August 2, 2002) ------------------------------------ - added $IPTABLES binary existance check - new variable TCP_SYN_PARANOID. Drop & log any new packets without the SYN flag exclusively set (Disabled by default!) - updated/changed fwfilter - now non-primary variables that don't exist no longer generate an error (config file now upwards compatible) - added warning message if kernel version is <2.4 - fixed scan type log/drop order - lowered the default conntrack to reduce kernel memory usage (high conntrack is now disabled by default) - added ipchains module error detection - expanded/updated the (nmap) scan types - removed ip_always_defrag proc (its obsolete in 2.4 kernel) - replaced service # with service names for -j TOS targets - new variable ECN, adds support for ECN (disabled by default) - minor cosmetic changes Version 1.7.1BETA-1 (July 25, 2002) ---------------------------------- - fixed module detection for Mandrake dist. (for .o.gz modules) - added support for custom rules (use CUSTOM_RULES at the beginning of the script) - added chkconfig compatible header to rc.iptables (you could now use it in different runlevels if you want) - added logging of tcp/udp port 0 fingerprinting (scan type, enabled via SCAN_LOG) - the 2 options below now make it possible to forward/run your own VPN server - added non-tcp/udp forwarding (IP_FORWARD) - added support for non-tcp/udp protocols -> new variables OPEN_IP, OPEN_HOST_IP - code cleanup in forward/masq rules - ipt_state & ipt_limit modules were modprobed twice (thanks to Lex for pointing this one out) - misc. minor cosmetic changes & typo fixes Version 1.7.0FINAL (July 6, 2002) --------------------------------- - fixed text for log rule "new udp connection" where it should be "new tcp connection" - tc is now first reset before traffic shaping is "really" activated (RTNETLINK error) - moved all user configurable variables to a seperate config file - removed commented unclean packet checking code as it is obsolete - fixed traffic shaping for non-ppp internet connections - strengthened security in masq/forward rules - fixed related ICMP state for INPUT/FORWARD chain. This should fix the problems with low-ping for Quake3 and dropped related ICMP packets for the forward chain. - fixed support for internal DHCP servers (ALL internal traffic is now accepted!) - misc. minor cosmetic fixes Version 1.6.9RC-3 (May 29, 2002) -------------------------------- - fixed drop of invalid packets - moved down reserved network check and changed rate limiting to 12/hour - misc. minor cosmetic fixes - added modprobe for sch_tbf module (required for traffic shaping) for kernels without built-in support Version 1.6.9RC-2 (April 9, 2002) --------------------------------- - various minor cosmetic changes - fixed masquerading for NON-ADSL internet connections - tweaked the 'lost connection'-drop some more and moved it down to the end of the chain Version 1.6.9RC-1 (April 3, 2002) --------------------------------- - all BETA3 functions are now "final" - cleaned up the code - added more help (remarks) - some minor (cosmetic) bug fixes & tweaks - seperated the root DNS server list from the custom DNS server list - added option to enable/disable the logging of (probable) lost connections. (non-harmfull log) - added some additional kernel & log options - removed obsolete "syn-flood"-log code - fixed a problem in the forward chain which could disallow a control (http/telnet) connection to your ADSL modem - whole reserved net / flag check moved to seperate chain (VALID_CHECK) - VALID_CHECK now also done for FORWARD chain Version 1.6.9BETA-3 (March 26, 2002) ------------------------------------ - updated reserved nets list - updated (nmap) scan types - misc. (masq) cleanup - added misc. kernel protections - added set_mss option - hardened forward policy some more - fixed stop command (cosmetic bug) - added option resolv_ips to disable resolving ip's - no more tcp for incoming dns servers - added the root dns servers to the dns list - changed insmod to modprobe - fixed nmap null scan detection - added traffic shaping support (partially) - disabled unclean packet checking for now (not reliable) - fixed double reserved net logging (minor cosmetic problem) - added no-log for non-harmfull packets to fix false connection alarms Version 1.6.9BETA-2 (February 20, 2002) --------------------------------------- - added host name resolve for trusted hosts - changed REJECT for DENY_HOST_XXX to DROP Version 1.6.9BETA-1 (February 14, 2002) --------------------------------------- - hardened the FORWARD chain for possible MASQ abuse - added status command Version 1.6.9ALPHA-3 (February 11, 2002) ---------------------------------------- - increased the log burst limit for some rules - added "xxx_DROP_NOLOG" to block certain ports but don't log them (code red) - fixed a problem in the port forward routines which probably didn't make it work at all - now with "restart" command the modules aren't loaded again (speed) Version 1.6.9ALPHA-2 (February 4, 2002) (this version uses code from ADSL4LINUX.NL) ----------------------------------------------------------------------------------- - added support for mangling (RFC) - added support for NAT - added additional IPTABLES kernel modules - added support for port forwarding (NAT) - changed the names of various variables Version 1.6.8BETA (January 11, 2002) ------------------------------------ - now tcp/udp allows/denies are more flexible (new format) - removed common services log (now done by fwfilter script) - misc. cleanup of obsolete functions Version 1.6.7 (January 11, 2002) stable --------------------------------------- - disabled "no syn detect" again (problems with ftp daemon). - now max connect/second for --state new is unlimited (now only protection via syn cookies) - firewall start/stop etc. now also logged in /var/log/firewall - disabled furtive scan logging (not reliable) Version 1.6.6 (03/10/2001) stable --------------------------------- - fixed wrong log level for ping/SYN floods (info instead of $LOGLEVEL) - fixed/enhanced command line parameters for the script - disabled logging of "normal" connection attempts Version 1.6.5 (14/08/2001) -------------------------- - added support for log level=debug - added support for incoming DNS servers - disabled 'no syn' detect for now Version 1.6.4 (09/08/2001) stable --------------------------------- - changed a lot of '-j LOG' to have a limit-burst of 1 - TCP RST packets are now dropped to fix false 'missing syn' alarms - nmap scan packets are now also dropped if logged - changed some rate limiting value's on some -j LOG Version 1.6.4BETA (03/08/2001) ------------------------------ - fixed: ICMP logging now in CHECK chain (it was in the INPUT chain) - changed ICMP / SYN flood logging & protection - fixed new state for UDP (now previous problems with bind are 100% fixed) - added null scan detection - added logging of fragmented packets - added logging of new connections made to completely open tcp & udp ports - fixed various bugs Version 1.6.3BETA (02/08/2001) ------------------------------ - added additional ICMP / SYN flood logging & protection - added detection for furtive port scanner - now "valid" new TCP connections are only allowed with the SYN flag set Version 1.6.2 (02/08/2001) -------------------------- - fix some variables in echo's which were still low case - decreased rate limiting for new connection (it gave some problems with running bind => DNS). Version 1.6.1 (30/7/2001) stable -------------------------------- - one ']' missed a space - fixed icmp receiving for the whole world Version 1.6.0 (30/7/2001) ------------------------- - added logging for reserved net source IP's - added logging of start/stop of firewall in kernel messages - added variable OPENICMP to enable ICMP packets to be send by the whole world - moved ICMP logging down (now only dropped ICMP packets are logged) - added variable INT which selects the interface to protect - added start / stop parameter - fixed a bug which caused the whole world to be able to ping your machine - added detection of additional subseven (trojan) listen port probes - misc. fixups Version 1.5.1 (26/7/2001) - first stable release ------------------------------------------------ - added support for: trojans & explicit detection of known services - now also detect scans from trusted hosts - moved some parts of the code to make it more secure for (hacked) trusted hosts (syn detection etc.)