Commit fab0e69a authored by Branko Mikić's avatar Branko Mikić
Browse files

No update in a long time now they come all at once.

~ Warnings, errors and about are now printed to stderr instead stdout to keep
  the rules files clean.
~ Dry-run added via argument -d which will print all iptables commands instead
  of executing them.
~ RESET function can now reset the firewall with an optional default policy
  argument like ACCEPT, DROP and REJECT.
~ ALLOW_DHCP_CLIENT function and it's rules were completely revised. Since the
  new code can handle client and server modes the function has been renamed to
  ALLOW_DHCP. DHCP is hard to track in the filter chains therefore it's now
  handled in the magle table marking packets on interfaces configured by the
  ALLOW_DHCP function. The marked packets are then finally accepted in the
  filter chains. Further it allow implcit IPv6 link local addresses for the
  dhcp ports only. If you want full link local access you still need the
  ALLOW_LINK_LOCAL function.
~ The REMOVE_RULES functions has been renamed to REMOVE.
~ NEW! Now the log facility used can be selected with LOG and NFLOG argument.
  Be aware that log modes can't be mixed when additional parts of the ruleset
  are executed at later time.
~ setupEnv() function removed and it's code now resides in the main code. It's
  only used once.
~ getLinkID() function revised to avoid fails under strange bash conditions.
~ obtainNetPrefix() reimplemented. The old version had different problems. Some
  minor bash errors fixed which could ocur in different scenarios.
~ NEW! probeChains() can now handle chains from different tables. When the first
  argument starts with -t TABLENAME followed by chain names to probe.
~ Limiter chain revised into two stages. The first is the usual rate limiting
  eg. for people bashing on the ssh port. The second stage is triggered when
  there are IP adresses intensifying attacks which now gets blocked for longer
  periods.
~ BLOCK chain removed and block rules placed directly into the corresponding
  chains.
~ LOCAL chain heavily revised and is now the main chain for internal interfaces.
~ ALLOW_SERVICE_DISCOVERY is still available but considered obsolete. It was to
  tedious to handle any multicast traffic like mDNS, LLMNR, ... etc.
~ NEW! It has been replaced by ALLOW_MULTICAST_ADDRS which uses the 'addrtype'
  feature. Wihtout any optional ports argument it allows any multicast traffic
  but to achieve the same behavior as ALLOW_SERVICE_DISCOVERY it's possible to
  give a list of port arguments.
~ NEW! ALLOW_STATEFUL_PACKETS added to allow fine grained control of the
  stateful firewall mechanism to allow NEW packets out in only RELATED,
  ESTABLISHED packets in. Instead of allowing this for any interface this chain
  can be set for an interface explicitly which is very useful when you have
  multiple WAN interfaces.
~ ALLOW_LINK_LOCAL revised to limit link local traffic only on the interface it
  has been configured for. This similar to the behavior before but now the
  addrtype is additionally checked which ensures that the interface the link
  local traffic is going through is an routeable address on an interface of the
  host.
~ Simple LIST function added. Same like 'iptables --line-numbers -nvL'
~ Some error conditions were replaced by warnings and aren't stopping execution
  anymore. Especially when it's desired to place rules for interfaces which
  aren't available at the time the rule is invoked. Some may be some functions
  like ALLOW_SUBNETS or FORWARD_SUBNET which read IP addresses from the
  interfaces and therefore can only be used when the interface is already active
  but this may change in the future.
parent e03c86cb
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment