Changes to the ipfwadm Dotfile Module
- (03/13/99 snapshot)
- Fixed a bug in the local-interface rules for localhost-to-any TCP and
UDP traffic.
- Fixed a bug where DEFAULT DENY would block non-masq traffic to sl0, thus
preventing the firewall itself from bringing up a diald-managed link.
- Added local-network-access-to-firewall controls.
- Added blocking of ICMP Redirect attacks.
- Improved support for DEFAULT DENY when masquerading.
- 0.26 beta 1 (10/06/98 snapshot)
- A few bugfixes.
- Added rule to allow masqueraded systems to bring up the link when the
default policy is DENY.
- Reset locale settings so that the output from ifconfig can be parsed
properly in non-English locales.
- Lots of new anti-attack rules.
- Much better support for Default Deny sites.
- A lot of simplification of the rule-generating code, in preparation for
adding ipchains support.
- It now looks for a file named port-numbers in the CWD before
using /etc/services to generate the service list, in case you grab the
current
definitive IANA port numbers file.
- Rules are now generated using port numbers rather than service names, to
allow for incomplete or out-of-date /etc/services files.
- Simplified a balky RE by running /etc/services through
expand to expand tabs before parsing. Of course, this means that
if you don't have expand installed, you'll need to
manually expand the tabs or you won't see all of your service
options in the drop-down service lists.
- 0.25 beta 4 (02/14/98 snapshot)
- Added option to use default filter on subnetted Private-Address local
networks.
- 0.25 beta 3 (02/07/98 snapshot)
- Tweaked anti-spoofing and added anti-loopback-attack rules.
- Fixed the rules allowing local-network traffic in if the default policy
is DENY (DOH!) and added rules accepting ICMP traffic.
- Added some intelligence to the multihomed case: if you are multihomed
and have your local network on eth1 and the Internet on eth0, and if your
local network is a Private-IP-Address network, the generator will detect
this and automatically fix it's internal setup. You do not need to edit
main.template any more in this situation.
- 0.25 beta 2 (02/01/98 snapshot)
- Added more anti-spoofing rules.
- Added rules to allow local-network traffic in if the default policy
is DENY. (DOH!)
- Default policies are now ACCEPT and DENY. The module generates rules
to deny Internet traffic and reject local-net traffic, to aid in
debugging while minimizing information provided to the world at large.
Also, these rules log discarded packets.
If you had your default policy set to REJECT, please set it to DENY!
- 0.25 beta 1 (01/23/98 snapshot)
- Added ability to block traffic from Internet hosts' ftp-data port to
local network X server, to block X server attacks from poorly
administered hosts or hosts administered by crackers.
- Added ability to preemptively block all traffic from the Internet to
local network X servers, if desired.
- Added ability to do point-to-point masquerading on internal
firewalls, to allow such things as access from a private-network-IP local
network host to an ISP POP server for mail retrieval.
- Added blocking of pings to the local-network broadcast address.
This prevents host detection and participation in smurf attacks.
- Added more intelligent handling of antispoofing: if your local
network is a private-IP network, some of the specific anti-spoof traps
are handled by the general private-network address traps. These duplicate
rules are now suppressed.
- Added type-of-service manipulation for ftp-data connections.
- 0.24 beta 3 (11/23/97 snapshot)
- bugfix: typo in allow-local-hosts generated a rule forwarding incorrect
protocol.
- 0.24 beta 2 (11/22/97 snapshot)
- 0.24 beta 1 (11/07/97 snapshot)
- Added logging of inbound packets that have been denied.
- Added support for specifying the IP address and netmask of an
Internet host or network from a file in the Allow:
Point-to-Point and Allow: Per Host, Internet
Hosts screens.
The method used is the same as for the HTTP-blocklist and
SMTP-blocklist file (i.e. one IP/maskbits specified per line
in an ASCII text file). Any number of these files may be
specified.
- 0.23 beta 3 (08/19/97 snapshot)
- Added support for internal firewalls (between private network
segments or between the private and boundary networks).
- 0.23 beta 2 (08/13/97 snapshot)
- Added support for point-to-point (host-to-host as opposed to
host-to-net or net-to-host) filtering.
- Tightened up the ftp-data backchannel filter a bit.
- 0.23 beta 1 (08/12/97 snapshot)
- Added support for firewalling a standalone host.
- 0.22 beta 2 (08/05/97 snapshot)
- Added the ability to allow/deny inbound ICMP query messages.
- Setting the default policy to ACCEPT is now postponed until
the firewall configuration has completed, to prevent transient security
holes during the setup of the firewall.
- Added support for a SMTP Block List file, to block inbound email without
having to regenerate the firewall file every time a change is made.
- 0.22 beta 1 (06/29/97 snapshot)
- Added support for a HTTP Block List file, to block web sites without
having to regenerate the firewall file every time a change is made.
- Added support for SLIP: sl0 without diald, sl1
with diald.
- When either of the unrestricted outbound TCP options are
selected, the code that lets ftp-data traffic back in is automatically
generated. You no longer need to explicitly include ftp in the services
list to accomplish this.
- When the unrestricted outbound TCP to all ports option is selected,
code generation for any explicitly listed outbound TCP services is
suppressed to keep the generated file minimized: outbound traffic
to all ports is already allowed, so listing them individually would
be redundant.
- 0.21 beta 1 (05/04/97)
- Added support for ISDN (ippp0), both dynamic and static.
If you use the ip-up option it should already work, as the port name
is supplied by pppd.
- Added unrestricted outbound TCP option (allow ports 1:65535)
- Added comments regarding 2.0.30 kernel to the IP Masquerade page
- Cleaned up some of the help texts and corrected a bug in Static-IP
PPP script-variable generation.
- 0.20 beta 1 bugfix (04/28/97)
- I keep forgetting that "set varname value #comment"
doesn't work in TCL.
- 0.20 beta 1 (04/15/1997 - happy tax day!)
- Kernel 2.0.30 support: masquerade CU-SeeMe, Quake and VDOLive.
- Allow specification of which masquerade support modules
to load.
- Cleaned up forwarding detection. No longer uses /proc/ksyms.
- Made multihomed ethernet configuration more flexible: Rather than
assuming local net is on eth0 and Internet is on
eth1, allow the user to configure this by changing two
variables in main.template.
- Allow specification of port ranges (e.g. 8000:8080/tcp)
in ALLOW and DENY rules.
- Don't use $ALL before it's defined. (Sorry, non-ip-up users!)
- A handful of minor bug fixes.
- Expanded comments and some help texts a bit.
Caveat: unfortunately I don't have a great deal of spare time to actually
test this for configurations other than what I use: dynamic PPP, diald
and ip-up, with light masquerade use. I'd appreciate feedback from users
with different Internet access and local network configurations -
feedback from experienced network managers is especially welcome.
Home
$Id: ipfwadm-changes.html,v 1.23 1999-03-13 21:46:21-08 jhardin Exp jhardin $