>> PROJECT HOMEPAGE Changelog 2.0rc8 -> 2.0rc9 ICMP echo-request packets are now allowed through the firewall to all hosts on the DMZ if the RFC_1122_COMPLIANT option is enabled. Installer version 1.1 security-fix: Remove filename from /tmp before writing to it. Eliminate ./rc.firewall clear garbage output when used with a non-moluar kernel. New option: "SHARED_INTERNAL" to control access between internal networks. Added explanation of default internal network behavior in PERMIT documentation and added minor updates to Advanced Documentation section. Functions for ALLOW_INBOUND and DENY_OUTBOUND heavily modified to provide more intuitive firewall behavior. Various minor wording changes in error messages and comments. New function "FIREWALL_IP" provides a solution to allow a Linux firewall to be transparently inserted between a public network and its border router. Port forwarding setup function updated. 2.0rc7 -> 2.0rc8 xbits() COUNT variable changed to NUM to avoid conflict in STATIC_INSIDE_OUTSIDE [bugfix] 2.0rc6 -> 2.0rc7 Option to ignore interfaces. Option to dump established tcp connection on firewall init. New TTL stealth router mode. Requires TTL kernel patch above. Option to drop new packets without the SYN flag set. Log limiting and levels can now be changed via configuration options. Use of iptables-save in save function and fast restore option for static speed sensitive applications. Support for updating configuration files from any version of rc.firewall. PERMIT parsing bugfix. Fix to allow ICMP-ECHO-REQUEST replies to be sent when configured as a router with no assigned IP addresses. Pretty progress dots for firewall configuration. Firewall now checks for proc filesystem support. ip_forward is now enabled after firewall rules are in place. All modules besides ip_conntrack are unloaded when the firewall is stopped. STATIC_INSIDE_OUTSIDE can now handle connections from the network on which the inside host resides. Option to allow systems on your local external network to bypass the firewall. Code cleanup in various functions. 2.0rc5 -> 2.0rc6 Numerous minor bugfixes. Support for DMZ interfaces. New BLACKLIST option to tame very badly behaved hosts. Combined OPEN_PORTS and TRUSTED_NETWORKS into a single configuration option called "PERMIT". Port forwarding now works from the local machine, provided you have iptables 1.2.6a+ and kernel 2.4.19+ with CONFIG_IP_NF_NAT_LOCAL enabled. Option to always load an external configuration file. 2.0rc4 -> 2.0rc5 Huge speed increase from eliminating nameserver lookups in various sanity checking operations. Unloads ipchains before modprobing required modules. Added intelligence for an interface that is up but doesn't have an address yet (dhcp is searching for an address). Assorted other sanity checking code cleanups. Special thanks to Stepan Kasal <kasal@math.cas.cz> for numerous patches. TRUSTED_NETWORKS can now access internal hosts through a non-nat firewall. Added support to selectively allow inbound sessions from/to specific hosts/ports on a non-nat network. Added support for selectively blocking access from internal network to selected hosts/networks/ports. Support for static one to one mapping of internal and external addresses through the firewall. Fix port forwarding on dynamic external interfaces. Fix traceroutes broken due to ICMP DNAT information leak workaround. Script now checks for Local Loopback interface. Script now performs route compaction (intelligently removes redundant networks). Script now checks definitions relating to the internal network against internal networks actually available. Configuration file can now be loaded and saved from any location. 2.0rc3 -> 2.0rc4 More updates to port forwarding code. Added complete descriptions of basic directives and removed descriptions for advanced directives with a reference to the online documentation. All idiotproofing is now completed before any changes to the current system configuration are made. Added support for optional firewall configuration file using 'saveconfig' and 'loadconfig' execution arguments. Support for port specification on trusted networks. Added support for dynamic (dial-up) internal interfaces. 2.0rc2 -> 2.0rc3 Only source NAT connections leaving the same interface they came in on. Fixes port forwarding caveat #2. 2.0rc3 will requires mangle table support, the MARK target, and the mark match module to do port forwarding. Add rp_filter support. Change STATIC_IP to DYNAMIC_INTERFACES to allow for finer control over NAT. Disable IP aliasing support where it doesn't make sense. Fix TRUST_ROUTED_NETWORKS bug. Make port forwarding select connections to forward more rigorously. Pretty progress dots. Various other minor improvements. 1.8 -> 2.0rc2 Tons and tons of error checking and idiotproofing, both for user input and in verifying that the current system configuration usable, with much more verbose success and failure messages. Powerful port forwarding directives. Logging support. Support for SysV style initialization. The 'start' and 'restart' arguments are redundant and are equivalent to running the script without any arguments at all. The 'stop' argument removes all existing firewall rules ('stop' and 'clear' are synonymous). External interfaces nolonger need to be specified, they are automatically determined. Automatically modprobes required modules. Support for routing without doing NAT. Support for routing additional internal networks. Support for routing internal network connections but not trusting them to connect to the machine itself. Support for interfaces with non-static addresses. Explicitly allow packets from loopback interface instead of having the loopback address as a trusted network. Support for multiple internal and external interfaces and IP aliasing [e.g. eth0:1]. PATH is now explicitly specified. Added primitive route verification, script now checks that packets from routed networks are received on internal interfaces. Allowing internal DHCP packets is now optional. 1.7 -> 1.8 Changed default policy in the filter table to DENY on the FORWARD and INPUT chains. Packets matching ESTABLISHED and RELATED states are now explicitly allowed, while those matching the INVALID state now fall off the end of the chains. This required adding explicit state matching to all rules. The script is still functionally exactly the same. Default configuration nolonger has any trusted hosts. Enabling the RFC 1122 compliance option now only allows ICMP type 'echo-request' (as opposed to all ICMP packets) and gracefully rejects unmatched NEW connections. Rewrote TRUSTED chain implementation. Added -n to NOT look up hostnames when checking `iptables -L`. Very important if you cannot reach your nameserver! When IS_ROUTER is enabled, the script now automatically adds the internal network to the list of trusted networks and allows access to UDP port 67 (DHCP) from the internal interface. Added checking to determine if interfaces being used are actually up. Some formatting cleanup. Added loopback addresses as a trusted network [127.0.0.0/8]. 1.6 -> 1.7 First release under GPL licensing. Added Changelog. Location of iptables no longer defined in-script. Make sure iptables is in your path. Tests for existence of nat and mangle tables. Integrate separate workstation, server, and router scripts into one script. Remove explicit redirection of packets from the internal network to the external interface. The kernel does this for us.