= Changelog for 2005 = 0.5.70 alpha 3 (2005-12-27) * Many fixes for UTF-8 support in vuurmuur_conf. * Improved connection viewer, which supports showing accounting data per connection. * Vuurmuur, vuurmuur_log and vuurmuur_conf now also have long options thanx to Stefan Ubbink! * Added manual pages for vuurmuur, vuurmuur_log, vuurmuur_script and vuurmuur_conf. * Many fixes for manipulating an empty ruleset. 0.5.70 alpha 2 (2005-12-18) * UTF-8 support for translations in vuurmuur_conf 0.5.70 alpha 1 (2005-12-07) * Made the logging of INVALID packets, SCAN probes, new TCP no SYN and fragments optional. * Synlimits and udplimits are now enforced against accepted and queue'd connections, not against all packets. * Added a -k (keep) option to the 'vuurmuur'-command, that does not remove the input file for iptables-restore. Useful for debugging. * If you change the devicename, the interface will automaticly be set 'virtual' if the devicename contains a ":"-character. * Added a fix for vuurmuur_conf not being able to use any other path for its config than /etc/vuurmuur/vuurmuur_conf.conf * The rpm specs now also support Fedora Core, Mandriva and Redwall. Thanx Alex! * Added Norwegian translation. Thanx Per Olav Siggerud! * Fixed a crash in saving the vuurmuur_conf settings if the configfile could not be found. 0.5.69 (2005-11-21) * No changes since alpha 6. 0.5.69 alpha 6 (2005-11-15) * Fix a bug with saving rule comments. Thanx for reporting TigerP@irc! * Fix building of debian packages. 0.5.69 alpha 5 (2005-11-10) * Added a fix for systems without nat not working. * Fixed a bug where long chain names could cause a segmentation fault. * Added rc.vuurmuur and README.SLACKWARE files written for Slackware by Nicolas Dejardin. * Updated Brazilian Portuguese translation. 0.5.69 alpha 4 (2005-11-06) * Updated russian translation. * Added a french translation. * Fix interfaces network_refcnt not being updated on network removal. If you removed a network with interfaces attached to it, you could no longer remove the interfaces. 0.5.69 alpha 3 (2005-11-01) * Large translation update to reduce the number of translatable strings. 0.5.69 alpha 2 (2005-10-20) * Hugo updated the Brazilian Portuguese translation. * Alex wrote spec files for rpm support. * Some changes to the build process to support the rpm-building. 0.5.69 alpha 1 (2005-10-11) * Fixed a bug with renaming a network. It could cause an error when updating the rules with the new name. Thanx Hugo for the report. * Fixed another case where a portfw connection looked like an incoming connection. * Really fixed the "Broken Pipe" messages this time: let me know if the fix has negative side-effects. * Virtual interfaces are no longer shown in the status screen. * Fixed a bug with sometimes loglines beeing followed by an extra newline in the logviewer. * Real userid is now detemined on startup (the user before su/sudo). * Added a separate audit.log, in which all configuration changes are logged, including the username. 0.5.68 * No changes since alpha 10. 0.5.68 alpha 10 * Hugo updated the Brazilian Portuguese translation. * Very minor update to the Dutch translation. * Fixed the status about the system not beeing properly updated. * Fixed debs not installing services properly. * Fixed a crash that would occur when switching on the 'draw status in main menu option'. * Alex updated the Russian translation. 0.5.68 alpha 9 * Fixed apply in vuurmuur_script hanging when vuurmuur and vuurmuur_log are not running. * Added the --list-blocked option to vuurmuur_script. Written by Adi Kriegisch. * Fixed the logging missing newline and thus making a mess of the logfiles. 0.5.68 alpha 8 * Added a --block and --unblock options to vuurmuur_script. Written by Adi Kriegisch. * Added a fix for vuurmuur_conf to compile on Fedora Core 4 (gcc4). * Fixed the autopackage installing the services in a wrong path. * Non-existing hosts/groups that are in the blocklist are now loaded into Vuurmuur_conf, so they can be removed there. * The traffic volume section now hides virtual interfaces to safe space for people with lots of them. No data was displayed for them anyway. * Added --apply option to vuurmuur_script, that tries to apply the changes immediately. 0.5.68 alpha 7 * Fixed a buggy indicator introduced in alpha 6. * Added logfunctions that both log and print to stdout. * Updated Dutch translation. * Really fixed the installer to copy the services this time. * Added a fix that should fix installing the autopackage on Suse 8.0 systems. 0.5.68 alpha 6 * Added indicators to lists with items that don't fit on the screen, so the user know there are more items. * Fixed the installing of the services in the config on a new source install. * Updated Brazilian Portuguese translation. Thanks Hugo! * Added input validation to vuurmuur_script. * Combined the three autopackages to one package. 0.5.68 alpha 5 * Fixed another bug with the rules, also introduced in alpha 3. * Disabled the 'old create method' because it is difficult to test and maintain. * Added support for binreloc which is needed in preparation of future Autopackage support. It can be enabled in ./configure with --enable-binreloc * The readme and install docs are now installed to (datadir)/doc/vuurmuur * Added russian translation of the docs. Thank you Alex! 0.5.68 alpha 4 * Fixed a bug introduced in aplha 3 that caused the rulesfile to become unreadable. 0.5.68 alpha 3 * The installer should no longer fail to --install when the etcdir already exists. * Renamed sepparator to separator. * The 'interface up' information should be more reliable. * Added a warning to the edit_host screen when no ipaddress is filled in. * The device of an interface is now stored as 'DEVICE' instead of as 'INTERFACE'. * Changes made to an interface in Vuurmuur_conf are now logged. * Renamed Bandwidth to Traffic Volume. * Fixed an broken pipe error in the Vuurmuur_conf Status Section on Gentoo systems. Thanks for the report Sebastian. * Added some input validation to vuurmuur_script. 0.5.68 alpha 2 * Plugins are now stored in (libdir)/vuurmuur/plugins, the plugin config in (sysconfdir)/vuurmuur/plugins. Removed the plugindir option. * Helpfiles are now stored in (datadir)/vuurmuur/help. * If you are using a translation of vuurmuur_conf, the helpfunction will try to open a translated helpfile first. * When creating a new service, it is now checked if a service with the same name already exists. * Fixed some bogus warnings when creating the hash-table for the connections section. * The status section no longer loads the hash, because it wasn't used at all. * Fixed portfw/dnat connections looking like incoming connections in the connection viewer. * Slight cosmetic fixes to the helpfile. * Moved the backupscript from the libvuurmuur to the vuurmuur debian package. 0.5.68 alpha 1 * Implemented the 'print', 'add', 'delete', 'rename' and 'modify' command in vuurmuur_script. * When the rules are stored all " are encoded to \" and decoded when they are loaded. * Fixed a bug where a item added to the blocklist from the logviewer was not saved. * Added support for rules for acting as a dhcp-server or as a dhcp client. 0.5.67 (2005-06-03) * Added support for protocol ipv6-over-ipv4 passthrough (protocol number 41). * After changes were made to the services, the backend status is updated. * All protocols are now logged in the trafficlog. * Fixed a bogus 'internal error' message when trying to add a new group. Reported by Alex. Thanx! * The mangle and nat table are now properly cleaned on reloading. Thanx for the report Adi. * Changed the screen update function in the logviewer from wrefresh() to update_panels() + doupdate(). * Added a per-rule options to limit the rules. A burst rate can also be supplied. * Vuurmuur_conf now checks if an interface is up every time you enter the 'edit interface' screen. The interface up? is also displayed a little different. * A german translation was contributed by Holger Ohmacht. Thank you Holger! * Implemented the list command in vuurmuur_script. * Some of the services supplied with Vuurmuur had malformed comments, which could cause an 'buffer overflow' error message. Thanx for reporting Adi! * Installation should no longer fail if the command 'which' is not installed. * The main menu, config menu's and the select boxes in the edit rule screen now all remember the position of the cursor. * Added gettext to the build-depends of the vuurmuur_conf debian package. * Cut off all lines in the helpfile at 80 chars to aid translators. * The Debian packages and the source installer now first backup your current config. Contributed by Adi Kriegisch. * Fixed memory leaks in Vuurmuur and Vuurmuur_conf. * Vuurmuur no longer detects changes in the rules when there are none. 0.5.66 (2005-05-19) * Rules and blocklist files are now created if missing. This should fix bugs introduced in 0.5.65. * Trying to add a host or group to the blocklist while no hosts/groups have been defined yet no longer results in a crash. * Fixed the installer checking the wrong etc-dir. * Added 'F6:interfaces' to the menu in edit network, so it is clear that the interface of a network can be editted using F6. * Updated the Russian translation. Thanx Alex! * Fixed setting the wrong plugin path when installing the Debian packages. * Change priority of permission warnings to info, so they appear in the log, but no longer as annoying popups. * Fixed another bug in the installer which cause the rules- and blocklistcovert functions to be called unneeded and with wrong parameters. 0.5.65 (2005-05-18) * Added support for transparant proxy's by allowing redirect rules to have a non-firewall destination as well. * Merged the libvuurmuur and plugins source trees, and vuurmuur and vuurmuur_log source trees. * Improved detection and reporting of problems in the configuration. * If opening the backends failed when starting Vuurmuur_conf, the user can now edit the config instead of just exitting. * Moved the rules and the blocklist into the pluginstructure. * Added a new 'Chain' action, which enables support for chains left alone by Vuurmuur. Only packets with state NEW will be sent there. The chains will be created if they don't exist. * Fixed a crash with trying to add a member to a group when there are no hosts in that network. Thanx for the report Heiko! * Added an about screen in Vuurmuur_conf. * Added 'firewall(any)' which is useful for creating INPUT rules where you need to connect to the external ipaddress of the firewall from your lan. * In the rules section you can now add horizontal lines with the L key. Press enter on a line to add a comment to it. * Fixed some bugs in the rule parser. * Changed the way the topmenu is drawn, so it will be easier to change it. * Removed the ESC key in Vuurmuur_conf as a key to quit because there is a delay between pressing it and the action that needs to follow it. * Fixed a confusing error message when not all required fields of a rule are filled in. Thanx for the report Edgar. * Vuurmuur now creates the logdir if it doesn't exist. * Vuurmuur_log now removes it's pidfile when it receives a sigterm. Thanx for the report Holger. * The macaddress is now properly checked and saved in Vuurmuur_conf. Thank you for reporting Heiko. * Added the ability to show the loglines that don't match the filter string. * Added the possibility to filter in the connections screen. * Snat rules can now also limit the interface which will be used. * Disabled the --test run of iptables-restore, since it did not work correctly on Debian Woody, and iptables-restore works atomicly, so there is no real need for the * test. * Added a Brazilian Portuguese translation contributed by Hugo Ribeiro. Thanx Hugo! 0.5.64 (2005-04-19) * Vuurmuur_log no longer fails to create a logfile. * Really fixed the MASQ action this time. * Fix compilation on Mandrake 10.0 and possibly on other distro's with older versions of automake. Thanx for the report Raldnor. * Fixed a bug where setting the Mark option caused Vuurmuur to create to many iptables rules. * Fixed a bug where a rule with action LOG also had log option set, resulting in double iptables rules. * Fixed some bogus warnings when reloading the blocklist. * Fixed a crash in the Zones Section of Vuurmuur_conf. Thanks for reporting Hugo and Edgar. * Support on the system for the mangle table and the nat table is no longer a requirement. * Renamed special service 'all' to 'any'. * Added a special zone 'any'. * Fixed a bug where adding a network gave an error while it actually succeeded. * Fixed two tiny memory leaks in Vuurmuur_conf. * Added a Russian translation for Vuurmuur_conf. Thanx for your contribution Aleksander! * Changed logrotate script to send a SIGHUP to vuurmuur_log after rotating. * Fixed a bug in the install script. Thanx for the report Alex. * Fixed a bug where adding a host to the blocklist crashed vuurmuur_conf if the blocklist location was not set. 0.5.63 (2005-04-11) * Fixed a bug with a loading a malformed traffic.log in Vuurmuur_conf * A portrange can now also be changed. * Updated the helpfile for the services. * Improved reliability of vuurmuur_log. * Fixed two possible crashcases in libvuurmuur. Thanks for the report Raldnor! * Improved the checking of the name entered when adding or renaming a host, group, network or zone. Thanks for the report Raldnor! * Fixed a bug where a MASQ rule ignored the service, and thus applied to all services. * All important modules are now on the MODULES_TO_LOAD line in the vuurmuur initscript. * '?' can now also be used to call the help screen. * Logging of blocklist violations can now be disabled. * UDP-limit and SYN-limit can now be disabled. * Files with invalid names in the backend are now silently ignored. * Vuurmuur_log no longer misses loglines added to the log while reloading. * Speeded up Vuurmuur_log reloading. * If applying the changes failed, vuurmuur_conf now prints an error and updates the status to 'warn'. * All configuration changes made in Vuurmuur_conf are now logged. * Added a nfmark option to the rules. Rules can now be marked for use with traffic shaping tools. Use 0 - 9 999 999 for accept rules, and 20 000 000 - 29 999 997 for QUEUE rules. * Because of this, the marks used with markiptstate are also changed: 29 999 998 for new,related, 29 999 999 for established. * Vuurmuur_conf now supports internationalisation, and comes with a full Dutch translation. Translators for other languages are welcome! * Vuurmuur now has a -t commandline switch that will disable the capability checking. This will asume all iptables features are supported. * Using REJECT with tcp-reset together with the protocol 'all' now works correctly, tcp connections will be reset, others result in a icmp-port-unreachable. * Fixed portfw rules with the remoteport option set. Thanks for the report Phil! 0.5.62 (2005-03-01) * In Vuurmuur_conf in the rules section '+' and '-' can now be use to move a rule down and up. * Added an option to copy (duplicate) the current rule in the rulessection. * Fixed an obscure bug when forwarding a service with the broadcast option set to a group. * If Vuurmuur cannot determine all caps, ip_queue is now still checked. * Added a network reference counter to the interfaces. It must be 0 before an interface can be removed. * Added -m tcp, -m udp or -m icmp to rules so iptables-restore should now work on Debian Woody. * Zones, networks, groups, hosts, interfaces and services can be renamed. * Fixed the status section not being displayed on a small screen with too many interfaces. * The interfaces section can now handle more interfaces that will fit on the screen. * The bandwidth usage can now be viewed in Vuurmuur_conf. * Vuurmuur now uses -D for daemon-mode instead of -l (-l can still be used though). * Performance of the rulessection when using a filter was much improved. * Fixed compilation warnings on Mandrake 10.1. * When a ruleset failes to load the tempfile is no longer removed, so it can be inspected. 0.5.61 (2005-02-08) * The iptables option --log-tcp-options is now supported, for use with PSAD 1.4.0. * Vuurmuur now tries to send a SIGHUP to vuurmuur_log when the interfaces have changed. * Groups and Hosts now have a blocklist referencecounter, so adding it more than once will result in a warning. Also you must now remove it first from the blocklist before the host/group can be removed. * libvuurmuur's ./configure now takes an option --with-config-dir=DIR which can be used to set the default config dir. * Fixed a tiny memory-leak in the capability-checking code. * Added support for creating debian packages from the source. This makes building debs for other archs possible. * Added support for bandwidth monitoring using IP Traffic Volume: http://iptrafficvolume.sourceforge.net/ * Fixed a bug with virtual devices and the markiptstate option. * Vuurmuur-log now also does a reverse check on the service if no service is found by a normal check. * A new interface by default now has all protection rules set. * Created a wrapper for set_field_buffer() because on Mandrake 10.1 it didn't accept our input. * Added '-m tcp' to all rules containing '--tcp-flags' and '--syn' because otherwise iptables-restore didn't work on Debian Woody. * If the vuurmuur_conf.conf file is missing, a default is now used. * Big updates to the helpfile. 0.5.60 (2005-01-11) * The backend no longer acts weird if it encounters a directory where it expected a file. * The version of the backendplugin is now passed to Vuurmuur. * Fixed loglevel again :-( this time the changed log-level (in ruleset-mode) was not applied. * Hosts now have a reference counter for groupmembership. When a host is still a member of a group, it can't be deleted. * The option that checks for changed dynamic interfaces now also checks if the interface was just brought up or down. * A dynamic ipaddress that is down, is not longer set inactive by Vuurmuur. * Increased the default udplimit-burst value to 45. * Added several new services. Older changelogs: [wiki:Changelog2004 2004]