added: Initial import of the 1.9-branch

git-svn-id: https://rocky.eld.leidenuniv.nl/svn/aif/1.9@1 2cdb06df-4b6c-47a8-a790-b77aef9f425a

Author: arnova

CHANGELOG

@@ -0,0 +1,276 @@
+Version 1.9.2e-DEVEL (September 2, 2009)
+--------------------------------
+* We should explicitly enable net.netfilter.nf_conntrack_acct for kernel 2.6.27+
+  to allow the use of traffic accounting and such (thank Lonnie)
+
+Version 1.9.2d (August 24, 2009)
+--------------------------------
+* Renamed module_probe() to modprobe() and added deprecation warning
++ Updated traffic accounting plugin. Fixes another "rule-leak"
++ Updated sip-voip plugin (thanks Philip)
++ Updated traffic-shaper plugin (thanks Philip)
+
+Version 1.9.2c (July 29, 2009)
+------------------------------
+! On reinit we must flush all chains in the nat & mangle tables else
+  they will keep growing (Thanks Lonnie)
++ Updated IPSEC VPN plugin (Thanks Philip)
++ Updated Traffic Accounting plugin
++ Updated DynDNS Open plugin
++ Updated IDS plugin
+! Fixed ICMP checks for IPv6
+* Less defaulting to all ports/all hosts for several rules. This should mainly
+  improve security in case of incorrect rules/configurations
+
+Version 1.9.2b (June 25, 2009)
+------------------------------
+! Fixed DSL plugin causing errors on restart
+* Detected iptables errors are now reported as WARNING rather than ERROR when the script finishes
++ Updated IPSEC-VPN plugin (Thanks Philip)
+* Moved .aif_active_plugins to /var/tmp/
++ Detect plugins on stop() that have their priority number changed
+
+Version 1.9.2a (June 9, 2009)
+-----------------------------
+* Dropped requirement of the ip binary in the main script
+
+Version 1.9.2 (June 4, 2009)
+----------------------------
+* Bumped installer version to 1.0
+! Fixed check_binary failed on dash-based systems (like Ubuntu) (Thanks Lonnie!)
+! Fixed some bashisms
+! Fixed DMZ_LAN_HOST_OPEN_IP didn't work
+
+Version 1.9.1-RC1 (May 20, 2009)
+--------------------------------
+! Fixed DMZ_LAN_HOST_OPEN_xxx source hosts weren't parsed properly (Thanks to Lonnie Abelbeck)
+! Fixed LOG_HOST_OUTPUT_xxx format error (Thanks to Lonnie Abelbeck)
++ Added local DNAT redirect support (Thanks to Philip Prindeville)
++ Added experimental DMZ-NAT plugin (Thanks to Philip Prindeville)
++ Implemented NAT_PREROUTING_CHAIN, POST_NAT_PREROUTING_CHAIN,
+  NAT_POSTROUTING_CHAIN & POST_NAT_POSTROUTING_CHAIN chains
+* Replaced DMZ_IF_TRUST and INT_IF_TRUST with the new IF_TRUSTS variable.
+  You can use | to create seperate groups of interfaces.
++ We now detect whether iptables (/ip4tables/ip6tables) failed (somewhere)
+  during startup and report this at the end
+! Fixed NAT_FORWARD_IP not working
+! Several fixes/changes in the rule parsers
+* Moved from using the $IPTABLES/$IP4TABLES/$IP6TABLES variables to functions
+  (Thanks Philip Prindeville). This should ie. allow proper tracing.
++ Iptables errors will now be shown in red, to better point them out
++ Implemented some additional chains (for ie. plugin use)
+- Reverted flushing user chains before stopping plugins, it causes disconnections.
+* Several cleanups/optimizations (thanks to Philip Prindeville, Lonnie Abelbeck
+  & Roy Lanek)
+* Major cleanup of functions etc.
+
+Version 1.9.1-BETA1 (April 5, 2009)
+-----------------------------------
+* On a restart the "user_chains" are now flushed before the plugins are stopped
++ Implemented INPUT/FORWARD/OUTPUT_CHAIN. In this way we no longer have to clutter
+  the builtin INPUT/FORWARD/OUTPUT chains.
+* !!!! Changed the seperator for interface restrictions to # (ie. eth0#.....)!!!
+  This code is now much cleaner and the way rules work is a lot more logical :)
+! Fixed warnings with newer iptables versions
++ Plugin status & stop are now only called when the plugin is actually listed
+  as being previously loaded (Thanks to Lonnie Abelbeck). ALL PLUGINS MUST BE
+  UPDATED ACCORDINGLY!
+* Rewrote the startup (and restart) code. This should make the restart command
+  working a lot better (although it may also have broken some stuff)
++ Misc. tweaks
++ Added option to use extra arguments for functions that use dig
++ Updated several plugins
+! EOL specification was invalid in the environment file
+
+Version 1.9.0b (February 27, 2009)
+----------------------------------
+! Fixed some security issues concerning firewall restart (thanks to Lonnie Abelbeck)
+! Fixed invalid EOL causing blocked hosts to fail
+! Fixed invalid sed-syntax causing blocked hosts to fail
+- Removed MAC-filter from the main script (will be moved to seperate plugin)
+! Fixed OUTPUT policy didn't get applied
+! Fixed LOG_xxx_INPUT should be LOG_INPUT_xxx in the config file
+* Small tweaks in the install script
++ Added wildcard_ifs() function to the environment-file
++ Updated several plugins
+* Cleanup + fixed several typos (thanks Philip Prindeville)
+* The restart command will now block all traffic from the external interfaces.
++ Host-block now has the option to keep established TCP connections, usefull for
+  our restart command to NOT kill any running SSH connections
++ New (seperate) MAC filter plugin. Also allows to "lock" a MAC to an IP now
+
+Version 1.9.0a (January 8, 2009)
+--------------------------------
+! Several fixes in the install script
+
+Version 1.9.0 (January 7, 2009)
+-------------------------------
++ Some more fallback safeguards
+! Fixed LAN_INET_HOST_DENY_TCP/UDP (stupid typo)
+! Trimmed too long log messages
+* Set timeout/retry values to default for dig functions in the env-file
+! Fixed sysctl for ie. busybox setups which don't support -q. Implemented sysctl
+  wrapper for this (like with module_probe())
++ Added new traffic shaper (thanks to Lonnie Abelbeck)
+- Removed old hfsc traffic shaper
++ Added net.netfilter.nf_conntrack_max as additional sysctl key
++ Added AIF:-prefix to all LOG messages
++ Added ENV_FILE fallback in case it's not specified in the config-file
++ Enhanced the environment file to make it more robust in case config stuff is missing
+- Removed <=2.2 kernel check
+! Minor fix in the init script
+! Fix bug in the install script which broke setting basic config
+* Disabled verbose by default in the init script (set VERBOSE=1 inside
+  /etc/init.d/arno-iptables-firewall to enable again)
+* Misc. plugin updates
+* Misc. tweaks in the install script
+
+Version 1.9.0-rc4 (November 23, 2008)
+-------------------------------------
+! Fixed hfsc plugin on ubuntu
+! Fixed install script on ubuntu
+* Moved /usr/share stuff to /usr/local/share (where it belongs). This is hopefully
+  the last major change.
++ Updated DynDNS plugin to 0.23BETA. It now automatically creates/removes the cron job
++ Updated Traffic Accounting plugin to 0.2BETA
+* man pages are now gzipped by the installer
+! Fixed incorrect configuration file used for the transparent proxy plugin
+! Installer didn't setup a symlink in /etc/rcS.d to start the firewall at boot
++ Added uninstall script
+! Several fixes in the install script
+* Misc. tweaks & fixes
+
+Version 1.9.0-rc3 (September 4, 2008)
+-------------------------------------
+! Fixed dsl-ppp-modem plugin was accidently DOS-formatted
+! Fixed dsl-ppp-modem was accidently referring to adsl-ppp-modem.conf instead
+  of dsl-ppp-modem.conf
+! Fixed aliased-inet-IP support in the NAT forwarding code
+! Fixed several problems in the installation script
+! Fixed broken dyndns-plugin
+* Cosmetic tweaks
+
+Version 1.9.0-rc2 (September 3, 2008)
+-------------------------------------
++ Added new DynDNS plugin to open ports for DynDNS (internet) hosts
++ Updated serveral plugins
+* Default policy for LAN->INET, DMZ->INET, INET->DMZ etc. is now ACCEPT (at the
+  (end of the chain) unless an OPEN_xxx is specified, in that case the default is DROP
+! Fixed the use of source-destination-ip's with NAT forwards
++ Basic install script added (install.sh). Probably can use a lot of improvements.
+* Moved a lot of functions/variables into a new separate "environment"-file.
+  (located in /usr/share/arno-iptables-firewall/). This should make easier for
+  ie. helper-scripts to use AIF's functions & variables
+* Minor changes/updates in the plugins (slighty modified skeleton for example)
+- Removed dsl ppp modem code and moved it into a separate plugin
+* (Cosmetic) tweaks in the module_probe() function
+- Removed transparent proxy code and moved it into a separate plugin
+* IPv6 drop-policy setting (when IPv4 is selected) now only performed if IPv6
+  is available on the system
++ Added $network to the Debian LSB headers
+* IDS plugin now uses priority 90 (near last)
+* Linux-igd plugin is no longer enabled by default (it was never intended to be so)
+* Changed default firewall log file to /var/log/firewall.log
+* Renamed POST_INPUT_CHAIN to POST_INPUT_DROP_CHAIN (+updated IDS plugin accordingly)
++ Implemented new POST_INPUT_CHAIN, POST_FORWARD_CHAIN & POST_OUTPUT_CHAIN
+* Misc. (cosmetic) changes
+
+Version 1.9.0-rc1 (July 29, 2008)
+----------------------------------
+! Fixed a bug in the nat forwarding code causing interfaces not to work
++ Updated ipsec-vpn plugin (& renamed from "racoon-ipsec-vpn")
+* Updates to the README-file
+* Misc. changes
+
+Version 1.9.0-beta3 (May 25, 2008)
+----------------------------------
++ Implemented check-conf argument to only perform a sanity check
+! Fixed no_broadcast code
++ Added HIGHLY EXPERIMENTAL IDS plugin
++ Added IDS hook in the main script (via POST_XXX_XXX CHAINS)
++ Added stop-block argument
+- Deprecated LOOSE_UDP_PATCH
+* Switched from /proc to sysctl for setting kernel options
+* Missing sysctl conntrack setting is NOW fatal
+! Fixed unreferenced get_protos_ip
++ Added $network to the Debian init.d headers
+* Misc. (cosmetic) tweaks
+
+Version 1.9.0-beta2 (March 23, 2008)
+------------------------------------
+! Fixed echo output showing hosts that shouldn't be displayed
+* Now IPv4 traffic will have a default policy of DROP when IPv6 is enabled and visa versa
++ Added LOCAL_CONFIG_FILE variable to allow ie. certain user/global/local settings
+  to be sourced into the script
++ Implemented plugin_status() support
++ Implemented plugin_stop() support
++ Updated several plugins. Multiroute now has a proper stop() section for example
+! Fixed error on missing /proc/ queue_maxlen....
+! Fixed support for legacy plugins
+
+Version 1.9.0-beta1 (January 17, 2008)
+--------------------------------------
+! Fix /proc/.../ conntrack set for newer kernels
+! Fixed bug (typo) in $REJECT_TCP_NOLOG
+! Fixed DEFAULT value's in the helper parsing functions causing ie. simple portforwards
+  not to work
+! Fixed missing default value's for the source hosts in the NAT portforwards
+! Several (regression) fixes in the NAT forwarding rules
+! Fixed a regression bug in the module_probe() function
+! Several regression fixes in the interface sanity_check()
+* Minor cosmetic changes
+
+Version 1.9.0-ALPHA2 (December 18, 2007)
+----------------------------------------
+! Fixed ICMPv6 types
+* All (user) chains are now created in the beginning to allow plugins/custom
+  rules to add rules to them.
++ Implemented separate variables for the iptables & ip6tables binaries. Instead
+  of selecting the binary itself, IPv6 support can now be enabled/disabled via
+  variable IPV6_SUPPORT
+! Several fixes for IPv6 support
++ Implemented IPV6_SUPPORT variable for the "actual" IPV6 support
+* Moved "old" IPV6_OVER_IPV4 to a plugin
+* Host block now performed for ALL interfaces, not just the external one
+* ICMP flooding changed from 20/sec max to 60/sec max.
++ Added suport for aliased external interface / multi-IP support. You can now
+  also use the IP (instead of interface) of the interface to restrict INPUT/OUTPUT-
+  rules
+! Fixed the HOST_ output logging rules
+! Fixed interface check in sanity_check()
+! Misc. bug fixes
++ Major cleanup
+* Cosmetic changes
+
+Version 1.9.0-ALPHA1 (December 5, 2007)
+---------------------------------------
++ Added DEFAULT_POLICY_DROP option to allow users to disable setting iptables
+  default policy to DROP. Mainly useful for people who boot from ie. NFS
+  (diskless client systems).
++ DNAT plugin update. Switched from OUTPUT to PREROUTING for the DNAT rule.
+! Fixed a minor bug in the NAT forwards: the FORWARD rule was missing the host destination
++ Experimental IPv6 support. You can switch from IPv4 to IPv6 by simply changing
+  the iptables into "ip6tables". Note that I'm currently not able to test it, as
+  I don't have any IPv6 environment.
+* NAT forwards no longer use : for host/port separation due to problems with
+  future IPv6 support. Now the new separator (~) is also used for this.
++ Implemented DMZ_IF_TRUST trust, to setup DMZ-DMZ trusts
+* Antispoof for DMZ & INTERNAL net now only enabled when INT_IF / DMZ_IF set
++ Implemented start/stop command for plugins. Now plugins can also contain code
+  to be executed whenever the firewall stops. The start or stop command is
+  put the environment variable called "PLUGIN_CMD" (which the plugin can read).
++ Major (and I mean, really MAJOR) code cleanup. This possibly broke a lot of stuff.
++ Implemented IP address ranges for ALL variables (use like 192.168.1.10-20)
++ Implemented support for restriction rules to apply only for certain external interfaces
+* !!! Separator for combined host/port rules changed from : to ~ . This is mainly to
+  be able create cleaner/easier parse functions & prevent any possible problems
+  with the support for IPv6 (addresses), which also uses : !!!!
+! Fixed INVALID rule for UDP
+* Changed the name of a lot of inconsistent variables. Unfortunately this means
+  that the new config won't be fully backwards compatible with firewall version 1.8
+* Changed order of some of the variables in the config file so they are more
+  synced to the logic flow/order of the firewall script
+* Plugin support moved to the main script
+* Plugin binaries moved to /usr/share/arno-iptables-firewall/plugins
++ (Finally) implemented nice init.d script with configurable verbosity
+* Misc. cosmetic changes