Changelog for 2004
- Fixed log-level. If was not working in 'iptables-restore'-mode.
- Fixed vuurmuur -C not clearing the UPDLIMIT chain.
- Fixed load_caps sometimes not loading caps correctly.
- Added limits for number of new udp 'connections'.
- Updated the helpfile.
- Next to INS, DEL and Fx keys, 'normal' keys can also be used, because on some systems the keys didn't work.
- Fixed bash-output mode.
- The parsing on the tcpflags from the log now ignores the logprefix.
- Added ttl info to the logs.
- Vuurmuur can now create rules using iptables-restore, which is much faster, and can apply changes atomicly.
- Big changes to internal data-structures.
- Updated the helpfile.
- Vuurmuur now checks if the iptables targets and matches it needs are available, and loads them if needed. Vuurmuur_conf can show the capabilities.
- Added four new antispoofs: link-local-net, iana reserved 0.0.0.0/8, broadcast source 0.0.0.0/32 and broadcast dest 255.255.255.255.
- Macaddresses with lowercase letters are now also supported.
- Vuurmuur can now check the dynamic interfaces for changes on a configurable interval.
- Added the posibility to select only one interface from a network when using portfw and redirect. This is meant for cases where a NAT-firewall has multiple ipaddresses and multiple similar servers behind it.
- Added the posibility to QUEUE instead of ACCEPT when using portfw and redirect.
- Fixed a crash when saving the comment of a group.
- Added support for the AH and ESP protocol so ipsec should be able to pass the firewall.
- Virtual interfaces no longer have 'protect' rules.
- With virtual interfaces, it's now checked if it an oldstyle device like eth0:0 or a normal device with multiple ipaddresses.
- Cleanups: removed global var 'debug' from vuurmuur-conf
- Vuurmuur now only reloads changed parts of the config when applying changes
- In the commentfield basic input validation is now performed.
- When reloading the rules, vuurmuur no longer gives an error when the log_policy option is off.
- The broadcast address 255.255.255.255 no longer shows in the log like internet.ext(broadcast).
- Converted the int's in the hashtables to unsigned int's.
- Improved error-checking in the backend.
- Slightly updated the helpfile.
- Rules now also can be active and inactive.
- Added support for additional logfiles in the logviewer.
- The name of the logging program is now shown in the log.
- get_mac_address and a few other functions now also takes the size of the buffer as an arg.
- cleanups: removed libvuurmuur_debug, renamed QueryData? to RuleData?, moved read_options to rules.c and renamed it to rules_read_options.
- Totally redesigned the 'protect'-rules. They are no longer a part of the rulesfile, but are connected to the networks and interfaces now.
- Anti-spoofing is now also checked in the FORWARD-chain.
- Fixed a bug where vuurmuur tried (and failed) to create rules for an interface with a dynamic ip, which was down. Thanks voor the report Stanks!
- Add a -C option to Vuurmuur which removes all rules in memory and set default policy to ACCEPT. So it unloads the firewall.
- The 'iptables' command is now first tested before it is used inside vuurmuur.
- The 'vuurmuur' command can now also be loaded without supplying the fullpath.
- Fixed a bug where inserting a new service or interface with a wrong name would still show the name in the list. Thanks voor the report Stanks!
- Fixed default policy loglimiting not working
- Improved performance of the Rules Section in Vuurmuur_conf when filter is enabled.
- Fixed changed 'virtual' not being detected when reloading an interface.
- Vuurmuur no longer quits when there are non-fatal warnings in the config.
- Vuurmuur_log now also has a shared memory segment for ipc. Vuurmuur-conf now talks to it.
- Moved 'pipe_command' from vuurmuur to libvuurmuur.
- Cleanups again, this time in Vuurmuur-conf, where a lot of structures were remove from main.h.
- (Maybe) fixed a crash-case in compare_ports in libvuurmuur.
- get_dynamic_ip no longer uses ifconfig, but now ioctl. Thanx for the report Guillaume!
- Added a statusbox to the mainmenu, which displays the status of your firewall (can be disabled).
- Redesigned the 'apply changes' in Vuurmuur_conf. It now has a simple progress indicator.
- Fixed a bug were opening the connections section or the status section when no zones or services were defined caused 'internal error' messages. Thanx for the report Dennis!
- Added ruleoption 'loglimit' which limits the number of logs per second for a rule.
- Rules now can have a comment.
- Added a helpfunction. Pressing F12 in most places will popup a help-window.
- When creating a rule, it is now automaticly logged, and a loglimit is set.
- Various parts of the Gui now have 'advanced options' which can be enabled per screen or globally.
- Virtual interfaces (e.g. eth0:0) are now supported.
- The number of loglines in the logviewer can now be configured. Furthermore, HOME and END now work in the logviewer.
- Vuurmuur-conf won't die when the rulesfile or blocklistfile are not found.
- The windows for selecting a ICMP type or code are now no longer saying 'add host'.
- Removed all but one malloc functioncalls from vuurmuur_log
- An installation/upgrading script was added.
- The init.d script now checks the returncode of vuurmuur and vuurmuur_log and now also works with redhat's chkconfig.
- Redesigned the configsection in the ncurses Gui.
- Added the logging of the tcpflags to the log, as well as the length of the packet.
- Changed the log so the interface is now shown earlier.
- Fixed bug where you couldn't open the hosts menu is there were not hosts defined yet.
- Added a blocklist. This is a list on which you can place ip's, host and groups to be blocked.
- Added synflood protection.
- The logging of all kinds of malicious traffic is now limited to one per sec.
- Fixed a bug that could crash vuurmuur if a zone was added.
- Improved the connectionviewer.
- When applying changes, the config is now also reloaded.
- Paths in the config are now checked.
- Before searching trough the log a check is now done to see if the script can be opened.
- Improved/fixed the markiptstate stuff.
- Added a search function in vuurmuur_conf to search trough logs, even the 'rotated' ones.
- In the configfile you no longer need to supply the location of each logfile, but now you just need to tell vuurmuur the directory.
- When creating/editing a rule the rule is now checked for sanety.
- Added some basic checking in the configure scripts.
- Added an scripts_dir option.
- Various code cleanups.
- Fixed a bug where reading a very long hostname or groupname from the backend would fail.
- Added 'markiptstate' option to the ruleoptions which adds support for the Snort_inline iptstate-patch by William Metcalf and myself. The patch will probably/hopefully be included in the next release of Snort_inline.
- Cleaned up create_rule more.
- The logprefix field in vuurmuur_conf was too big, adjusted.
- Logging of incoming broadcasts was fixed.
- When creating a QUEUE rule an optional protocol helper is now supported (needs the iptables helper module). In a service the protocol helper (like ip_conntrack_ftp) can be supplied.
- Macaddresses are now also logged in the trafficlog.
- Fixed a bug that would crash vuurmuur if it tried to create a rule with a group without members.
- Redirect was fixed.
- The create_rule function was cleaned up
- When forwarding rules are created, ip-forwarding is now automagicly enabled and vice-versa.
- An initscript was added, look in vuurmuur/scripts
- Fixed redirectport option not appearing when selecting the action redirect in the edit_rule window.
- A few cosmetic changes
- In the log a broadcast-address is now shown a networkname(broadcast), like in the connectionssection in vuurmuur_conf