• Branko Mikić's avatar
    No update in a long time now they come all at once. · fab0e69a
    Branko Mikić authored
    ~ Warnings, errors and about are now printed to stderr instead stdout to keep
      the rules files clean.
    ~ Dry-run added via argument -d which will print all iptables commands instead
      of executing them.
    ~ RESET function can now reset the firewall with an optional default policy
      argument like ACCEPT, DROP and REJECT.
    ~ ALLOW_DHCP_CLIENT function and it's rules were completely revised. Since the
      new code can handle client and server modes the function has been renamed to
      ALLOW_DHCP. DHCP is hard to track in the filter chains therefore it's now
      handled in the magle table marking packets on interfaces configured by the
      ALLOW_DHCP function. The marked packets are then finally accepted in the
      filter chains. Further it allow implcit IPv6 link local addresses for the
      dhcp ports only. If you want full link local access you still need the
      ALLOW_LINK_LOCAL function.
    ~ The REMOVE_RULES functions has been renamed to REMOVE.
    ~ NEW! Now the log facility used can be selected with LOG and NFLOG argument.
      Be aware that log modes can't be mixed when additional parts of the ruleset
      are executed at later time.
    ~ setupEnv() function removed and it's code now resides in the main code. It's
      only used once.
    ~ getLinkID() function revised to avoid fails under strange bash conditions.
    ~ obtainNetPrefix() reimplemented. The old version had different problems. Some
      minor bash errors fixed which could ocur in different scenarios.
    ~ NEW! probeChains() can now handle chains from different tables. When the first
      argument starts with -t TABLENAME followed by chain names to probe.
    ~ Limiter chain revised into two stages. The first is the usual rate limiting
      eg. for people bashing on the ssh port. The second stage is triggered when
      there are IP adresses intensifying attacks which now gets blocked for longer
    ~ BLOCK chain removed and block rules placed directly into the corresponding
    ~ LOCAL chain heavily revised and is now the main chain for internal interfaces.
    ~ ALLOW_SERVICE_DISCOVERY is still available but considered obsolete. It was to
      tedious to handle any multicast traffic like mDNS, LLMNR, ... etc.
    ~ NEW! It has been replaced by ALLOW_MULTICAST_ADDRS which uses the 'addrtype'
      feature. Wihtout any optional ports argument it allows any multicast traffic
      but to achieve the same behavior as ALLOW_SERVICE_DISCOVERY it's possible to
      give a list of port arguments.
    ~ NEW! ALLOW_STATEFUL_PACKETS added to allow fine grained control of the
      stateful firewall mechanism to allow NEW packets out in only RELATED,
      ESTABLISHED packets in. Instead of allowing this for any interface this chain
      can be set for an interface explicitly which is very useful when you have
      multiple WAN interfaces.
    ~ ALLOW_LINK_LOCAL revised to limit link local traffic only on the interface it
      has been configured for. This similar to the behavior before but now the
      addrtype is additionally checked which ensures that the interface the link
      local traffic is going through is an routeable address on an interface of the
    ~ Simple LIST function added. Same like 'iptables --line-numbers -nvL'
    ~ Some error conditions were replaced by warnings and aren't stopping execution
      anymore. Especially when it's desired to place rules for interfaces which
      aren't available at the time the rule is invoked. Some may be some functions
      like ALLOW_SUBNETS or FORWARD_SUBNET which read IP addresses from the
      interfaces and therefore can only be used when the interface is already active
      but this may change in the future.