NEWS

2015/10/10:

Release of version 3.0.0-rc.3

More wide-ranging improvements

Common:
- ipset fixes
- require pandoc 1.12.2.1 and use its features
- iprove contents page in documentation

FireHOL updates:
- made STOP mode exit successfully
- add support for restore when specifying a filename on the command line
- allow multiple "except" rules in statements that accept the keyword
- disabled spinner in explain mode
- add support for comma as an ipset IP separator
- tproxy now uses markdef() to allocate a mark
- save marks.conf only after successful firewall activation
- drop requirement for awk (other programs still use it)
- add log() and loglimit() helpers to allow logging from ipsets globally
- prevented backup of all the ipsets in memory - it takes too long
  when the system has many ipsets installed
- rewrote the ipsets functionality so that:
  - it optimizes netsets with iprange if present
  - it adapts the maxelem parameter for the updated ipset so that
    updating ipsets with big incremental updates does not fail
  - maintains compatibility with older ipset versions
    (side-effect: calling an ipset update without restarting the
    firewall now only support ipsets that are used in firehol.conf)
  - if iprange is present, processing of ipsets is a lot faster

FireQOS updates:
- add ability to stop QoS on a specific device
- fix for ERROR columns on some tc versions
- max/ceil % is now relative to parent's ceiling rate
  (it was by mistake to parent's base rate)
- warn if a class takes priority outside the valid ranges of HTB (0-7)
- switched default color from blue to green

Link-Balancer updates:
- add wrappers for rawmark() and custommark()
- when a table was already up to date but other depend on it, it failed #78
- fix issue when specifying loop and timeout #77

Contrib (ipsets scripts):
- various fixes and lists added
- support aggregate to optimize netsets
- support syslog logging
- add iprange program, various enhancements over original

VNetBuild Added


2015/03/14:

Release of version 3.0.0-rc.2

More wide-ranging improvements before a final release

Common:

- Added --disable-doc to configure script to stop the installation
  of PDF and HTML versions of documentation
- Start to bring documentation in line
- Disable colour on non-terminals

FireHOL:

- Synproxy support
- Services "all" and "any" are now simple services. Service "all" now
  has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN.
- Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately
- Fix empty firewall case
- Added state NEW to masquerade
- Fix to ensure the final firewall close code emits as both ipv4 and ipv6
  where appropriate even if only ipv4 or ipv6 was used for the final
  interface/router
- Added action type "sockets_suspects_trap"
- iptrap now creates the trap if it is not already created
- Eliminate a warning for kernels prior to 3.5
- NAT helper now supports balancing multiple IPs or ports on all NAT modes 
- NAT helper now supports keyword "at" to specify the chain to be attached to
- Optimise multi-port matching rules

FireQOS:

- Optimisations
- Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP
- Fixed monitor mode

LinkBalancer:

- Fix to stop ignoring fallback gateways
- Use "traceroute -6" not "traceroute6"


2015/02/15:

Release of version 3.0.0-rc.1

This version introduces changes and improvements over a wide spectrum.

- Performance improvements: both the script and resulting firewalls are
  faster. Choose original complete bi-directional or even faster runtime
  matching.

New firewall features including:

- ipset support and management
- IDS and port knocking with traps
- multiple mark definitions
- conntrack helpers
- experimental tproxy support
- separate default settings file

Introduction of link-balancer script.

2014/10/24:

Release of version 2.0.0

No changes compared to rc.3

2014/10/19:

Release of version 2.0.0-rc.3

- Fix chain lengths and ensure both IPv4/IPv6 ones created for
  "with limit", "with knock" and "with recent" (issues #38 and #40)
- Silently disable IPv6 where the kernel has no IPv6 support (#39)

2014/10/06:

Release of version 2.0.0-rc.2

FireHOL fixes/enhancements
- Create functional firehol helpme output (issue #35)
- Remove long-redundant firehol_wget and wget_cmd helpers
- Use mktemp for temporary directories during RPC enumeration
- Don't delete and recreate the main temporary directory
- Treat mktemp like other required commands
- Silence module detection warning when not loading modules

FireQOS fixes/enhancements
- Added srcmac dstmac matches to FireQOS

Packaging
- Clean up some intermediate files before packing

2014/08/02:

Release of version 2.0.0-rc.1

FireHOL fixes/enhancements
- #15 Do not fix source ports for DHCPv6 (not required by RFC)

FireQOS fixes/enhancements
- fixed mixed ipv4 and ipv6 matches that were generating match
  priorities above 0xffff
- #29 added warning when rate is lower than minrate

Documentation
- split manual in two
- explain that ICMPv6 ND/RD packets are untracked by default, so not in all
- #31 fixed magic line of services definition

2014/06/08:

Release of version 2.0.0-pre9

FireHOL fixes/enhancements
- recognise dst4/dst6 on interface/router as well as src4/src6

2014/05/10:

Release of version 2.0.0-pre8

FireQOS fixes/enhancements
- resolved an issue with pppd ip-up scripts
- automatic numbering continues giving class priorities after
  a manual priority is given

Documentation
- replaced docbook with pandoc (issue #24)

2014/04/13:

Release of version 2.0.0-pre7

FireQOS fixes/enhancements
- full bidirectional interface support, including firehol like services
- running on OpenWRT (insmod instead of modprobe, low-res timers)
- option to limit each match to a specific rate

FireHOL fixes/enhancements
- firehol save now writes to the specified files again
- firehol save, restore and fastactivation now work IPv4-only mode
- improved fast activation error handling (issue #22)
- improved mark/connmark handling (issue #23)
- tproxy support added

Documentation
    - Link and spelling fixes
    - new config examples

2014/02/15:

Release of version 2.0.0-pre6

Implement dual IPv4/IPv6 as standard
- Update your config from version 5 to 6 to enable
- See http://firehol.org/upgrade/#config-version-6

Include FireQOS manual pages

2013/10/29:

Release of version 2.0.0-pre5

Fix to the FIREHOL_DEBUGGING code.

Release of version 2.0.0-pre4

Cleanups and minor improvements
- Remove the blank line from wizard/helpme output
- Remove the #! from wizard output - it cannot be executed directly
- Cleaned up boilerplace information in script
- "firehol condrestart" now follows official conventions by restarting
   only if already running

Fix kernel version detection so that it is more flexible and less error prone.

Allow switching on of debug output by setting environment variable
FIREHOL_DEBUGGING to a non-empty value.

Fix "mac" helper command so that it works with iptables 1.4.12+
- Previous behaviour was deprecated in 1.4.3 (Jul 2009)
- Also prevent mac addresses being seen as IPv6 addresses

Allow some config variables to be set as environment variables
- FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT,
  FIREHOL_INPUT_ACTIVATION_POLICY, FIREHOL_FORWARD_ACTIVATION_POLICY,
  FIREHOL_OUTPUT_ACTIVATION_POLICY, FIREHOL_LOAD_KERNEL_MODULES,
  FIREHOL_NAT, FIREHOL_ROUTING, FIREHOL_AUTOSAVE

Do not try to add DROP rules to NAT chains
- See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536675

Use "ss" in place of "netstat"
- As suggested here https://bugzilla.redhat.com/show_bug.cgi?id=784520

2013/10/28:

Release of version 2.0.0-pre3

Fix for issue https://github.com/ktsaou/firehol/issues/6
Fix for issue https://github.com/ktsaou/firehol/issues/9

2013/10/27:

Release of version 2.0.0-pre2

Inclusion of FireQOS
Standardisation of version information suitable for Git
Allow tcpmss usage in interfaces

2013/10/15:

Release of version 2.0.0-pre1

Project organisation moved to autotools: it is still possible to
copy the single sbin/firehol.in to an appropriate place on an
init-driven system.