forked from rfxn/advanced-policy-firewall
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG.RELEASE
60 lines (60 loc) · 5.08 KB
/
CHANGELOG.RELEASE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
- 1.7.5 | Feb 4th 2014:
[New] added USE_IPV6 option to conf.apf for enabling/disabling IPv6 support/rule creation
[New] added SET_EXPIRE configuration option for controlling deny_hosts ban expiration time
[New] added SET_REFRESH_MD5 configuration option which controls validation checks on trust rules and skips refresh if no changes
[New] use of keywords 'static' or 'noexpire' in ban comments (e.g: apf -d IP "noexpire http flood") will cause
an address to never expire from the deny_hosts till removed with 'apf -u HOST/IP' or manually deleted
from file
[New] Versioning scheme changed as follows:
- MAJOR#.MINOR#.REVISION#
- [0.]9.7-3 becomes 1.7.3
- 1.7.3 Mar 11th 2013 contained many backported items from dev tree that became 1.7.4; merged trees into 1.7.5
- New versioning scheme will become consistent across all rfxn.com projects
- The old versioning scheme had no real value and had become a never
ending release tree
[New] added locking support to prevent multiple start,stop,restart,refresh operations from running on top of each other
[New] added mutliport support to trust syntax
[Change] replaced usage of ifconfig with ip command for determining interface addresses, preserved ifconfig support for older <=EL4 systems
[Change] removed extras dshield package which was rarely utilized, users can of course still manually download it from dshield.org
[Change] updates --refresh|-e to utilize new consolidated allow/deny functions and improve performance of refresh (reload) operations
[Change] modified CHANGELOG versioning history to contain release dates back to initial Mar 2003 release
[Change] modified cron.daily to use init script restart operation instead of hard flushing and starting with CLI wrapper
[Change] replace IFACE_IN/OUT variables with IFACE_UNTRUSTED variable in conf.apf
[Change] removed defunct crondcheck() function
[Change] modified devel mode function to use cron.d file instead of directly editing /etc/crontab
[Change] removed glob_allow and glob_deny functions, modified allow|deny_hosts functions to support generic usage across any trust based rule files
[Change] modified ml() and modinit() functions to remove unnecessary checks and simplify usage
[Change] modified cli_trust_remove to remove unnecessary checks and improve accuracy in removing addresses from the running firewall set
[Change] consolidated cli_trust_add|deny into single cli_trust() function; reduce unnecessary checks and redundant scripting
[Change] modified rfxn.com URI references in conf.apf to cdn.rfxn.com
[Change] improved sysctl.conf TCP defaults to reduce TW socket states
[Change] dshield, spamhaus and projecthoneypot drop lists now only filter traffic sourced
from addresses in the respective lists to reduce rule counts instead of to/from
(src & dst)
[Change] internalize a list of local ip addresses and ignore generic to/from allow trust rules
on said local ip list to prevent firewall loopholes due to misconfiguration
[Change] modified tospre/post route function into consolidated tosroute function
[Change] modified preroute/postroute.rules files to remove callouts to tos functions which
are now called prior to the pre/post route file inclusions
[Change] modified cli allow/deny trust functions for improved sanity checks through consolidated
validation callouts
[Change] preroute rules now load before implicit trust on loopback interface traffic so rules can be
applied against loopback traffic if so desired
[Change] consolidated TMP_DROP and TMP_ALLOW chains into REFRESH_TEMP
[Change] updated copyright dates in all output and file headers
[Change] removed use of *_URL_PROT variables, URL's should now be fully qualified URI's (e.g: http://domain.com/path/file)
[Fix] expirebans() would only remove bans that contained comments
[Fix] allow rules in the format advanced trust syntax, when otherwise not defining a protocol, were only applying to TCP traffic
[Fix] trust rules refresh cronjob modified to remove MAILTO & SHELL variables which were causing crond
'bad minute' errors on some systems
[Fix] reordered chain flushes on refresh() to avoid any possible packet loss or loss of connectivity
from hosts in the allow tables
[Fix] SYSCTL_CONNTRACK better handles varied kernel and iptables versions to apply value on correct sysctl
hook file; nf_conntrack_max or ip_conntrack_max
[Fix] set local DNS servers as configured in resolv.conf to bypass RABPSCAN to prevent potential Denial of Service from forged packets
[Fix] restarts in some situations can cause 'iptables: Resource temporarily unavailable' errors, added 2sec
sleep delay on restarts between flush() and start() to prevent resource errors
[Fix] block rules for BLK_PRVNET and BLK_RESNET were being added with no interface modifier and as such had
the potential to block traffic over private and loopback interfaces when it was otherwise not intended
[Fix] in some situations, RABPSCAN would not enable due to kernel module extension variable not being scoped
properly and the check_rab function returning that the kernel did not support ipt/xt_recent