Brad Cowie edited this page Dec 9, 2013 · 4 revisions

2013-12-09: Brad Cowie

  • Fix bug in init script that causes ip6tables to not be flushed on stop action.
  • Fix bug where NFLOG rules will never work.

2013-05-03: Brad Cowie & Chris Browning

  • New firewall load modes have been introduced. The default mode now allows bearwall to load it's firewall rules atomically without preventing traffic from reaching the machine while firewall rules are being reloaded. Read bearwall.conf for full details.
  • Bearwall will now display errors instead of throwing them away allowing bad firewall rules to be found more easily.
  • There is a new debug mode for helping discover the root cause of a bearwall ruleset that causes bearwall to break (Usage: bearwall -d)
  • Released as version 1.08

2013-03-27: Brad Cowie

  • Support new logging styles
    • Added NFLOG support to prevent rule matches ending up in dmesg
  • Added bearwall global configuration file
  • Released as version 1.07

2012-03-10: Matt Brown

  • Support running on systems using busybox grep
    • Convert perl style regexes to posix extended format.

2011-08-22: Matt Brown

  • Add support for Linux kernel 3.
  • Fix IPv6 support (previously buggy/non-functional).
  • Fix flushing logic to support IPv6, and add the ability to reset policies after flushing.
  • Expose the ability to flush tables when called with -f.
  • Release as version 1.06

2011-06-17: Jamie Curtis

  • Migrate Makefile to doing stuff nicely with git
  • Fix make release for new git world.

2011-04-07: Jamie Curtis

  • Fix bug with importing rulesets with $SHEL instead of $BASH

2011-03-10: Jamie Curtis

  • Changed iptables rules around to avoid depricated ordering
  • Fixed bugs in some of the default rulesets

2009-12-11: Jamie Curtis

  • Add support for modern kernels netfilter changes
  • Upped to version 1.04

2006-12-11: Perry Lorier

  • Add mangle-{pre,post,fw}-* support.
  • Upped to version 1.03

2006-12-11: Jamie Curtis

  • Increased version for release
    • Added some extra ToDo's

2006-12-08: Perry Lorier

  • Added proper "mangle" support
    • allow you to use "mangle-out" and "mangle-in" targets.

2006-04-06: Matt Brown

  • Reworked example external interface class
    • Don't allow FTP/ident and wand/wansd from the Internet by default
    • Don't allow MS worm traffic to transit to/from the Internet
    • Removed the need to specify the source networks to MASQUERADE for

2006-04-03: Jamie Curtis

  • Convert from SF CVS to SVN

  • Merge in IT Partners linuxserver-firewall changes

    • log-prefix now has "FW/" prepended for all logs
    • Allow for FHS / Debian directory layouts
    • Check interfaces.d exists and contains files
      • Fix bug that allowed execution to continue if interfaces.d didn't exist !
  • Move hosts.d to $CONFDIR, not $BASEDIR (they are user configured host overrides !)

  • Changed syntax of how $IPTABLES was set in rulset.functions for consistency.

  • Added simple command line options, -v or --version for the current version or anything else tells you to read the man page.

  • Move all sanity tests to the top of the script so we don't start building the firewall only to find we don't have something later !

  • Removed from hosts.d that used to point all OUTPUT to the classify ruleset. Playing with TOS bits can cause problems on todays broken Intarweb.

  • Made modprobe that may fail use "-q" to supress error output.

  • Move the actual firewall script to src/ so it can be built by the Makefile

  • Made the documentation and firewall be built by the Makefile so they all refer to the correct file locations.

  • Split up Makefile install into install-bin and install-conf, added install-doc and made install depend on all of them.

  • Got rid of inforced requirement for rulesets to be +x

  • Reverted installing rulsets +x as it's no longer required.

  • Fixed typo's in paranoia ruleset

  • Fixed polite_deny to target to DROP and removed stupid extra re-defined copy of polite_deny.

  • Added polite_drop target to follow IPtables naming.

  • Converted rulesets to use polite_drop not deny.

  • Fixed example of TCPMSS hacking in classes.d/external so it would actually work !

Sometime before 2006-04-01: Probably Perry Lorier

  • Fixed 2.4/2.6 issue, will now work on both versions

  • Fixed bash LANG problem that broke a check

  • Don't complain if there are no host exceptions.

2003-06-07: Perry Lorier

  • Fixed nasty bug with FORWARD chain (which nobody used anyway, sigh)

  • Added some new rulesets (routing-trust) and cleaned up some others

  • Added some more examples to the classes

  • Added support for more of the mangle table targets

  • Fixed bug with leaving empty chains around the place

  • Fixed bug with spewing errors about not being able to delete chains

  • Default log level is now very low, except for End of * messages, added comment to these to hint that these are a configuration error.

2002-09-18: Perry Lorier

  • Moved all the examples out of interfaces.d into classes.d and recommended people create symlinks from interfaces.d into classes.d

  • added ifup and ifdown firewall scripts to add and delete an interface. This involved a lot of restructuring. a series of new chains were created called "in-fw", "out-fw" etc, the various interface chains are linked off these. ifup and ifdown can take a second argument which is the "fake" name of the interface. for example if you have a wireless network card:

          # start up at home
          ifup eth0 home
          # ... play ...
          # leave home
          ifdown eth0
          # get to work
          ifup eth0 work
          # ... work ...
          # leave work
          ifdown eth0
          # etc
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.