$Id: Changelog,v 1.22 2002/08/09 19:01:22 smueller Exp $ 1.3 --- - config file will only be used if it belongs to root and has no access rights for group or other (only rights of 400, 600 or 700 are allowed) - added command line switch close which is absolutely the same as init for convenicence - REMOVED THE AUTOMATIC BLOCKING OF SMB BROACASTS, DHCP AND MULTICAST, since now it is possible to block those protos with normal rules and make them quiet in the log system => this reduces the amount of "Black Magic" that is in this script - Security Fix: Broadcast addresses are not configured for looping - Fixed the example configuration of DHCP - ICMP rules are now only set up without any return rules (with the examples _BPING, _BPONG and _BTTL you can block incomming pings and traceroute scans, but your server in turn can ping others or traceroute others - Interface names are now available, see README - Better Logoutput for explicitly Log rules 1.2 --- - added broadcast addresses to list of local IP-Addresses to enable broadcast addresses as local destinations in packet filter - log output of SYN block fixed - Added configuration option of Prio to traffic shaper part (see sample config file) - Debug Log output from Logged rules modified - Added better examples to shaper.conf, esp. for problematic protos (eg. SMB, NMB) - Now it is possible to leave Server_IP, Server_Port, Connect_IP and/or Connect_Port empty in packet filter configuration - Allowing or blocking of ICMP is now handled correctly - small bugfix with Prio value in traffic shaper 1.1 --- - fixed a subtile bug in determining the bandwidth of an interface - Cosmetical bug in debug log output - Added destination 255.255.255.255 to drop-chain - if $Is_router != yes -> no single rule in forward chain - removed $i_Link_Net - TC now uses the tc filter -> IPTABLES mark are not used any more -> both parts can be used absolutely independend from each other - Calculate remaining bandwidth on an interface to make CBQ queues actually working - some more debug output - allow more than one entry for Server IP/Port and Client IP/Port in configuration of traffic shaper filter -> you can use the IP/Port variables in the config file the same way as in the packet filter section (see sample config file) - when script is called with option 'open', firewall stuff is only cleared when Enab_Filter=yes - now you can explicitly make a firewall rule blocking (ie. DROP - delete the packet - or REJECT - delete the packet and send an ICMP dest. unreachable back to the sender) -> see description of the available rules in sample config file 1.0 --- - small documentation updates within the script to make code more understandable - display the called procedures (start, init, open) - search for variable qdisc_handle_IFACENAME is only done in pre-init(), if TC is enabled - fixed a nasty bug that prevented client remote and server remote TC from working correctly - now TC will always check, if a MARK is already used by IPTABLES -> thus IPTABLES rules do not need to be flushed any more => TC part of the script can now be used even if the IPTABLES rules are set up by other scripts ==> TC part and IPTABLES part is now truly independendly!!!! YEAH!!!!! :-))))) (OK, if you call the TC only several times, you get a long list of IPTABLES MARK entries in the PREROUTING chain, but this should not matter) - added check in TC, if Connect_IP and Server_IP are routed to the same interface -> skipping that configuration, since no IP packet of that config will ever reach us! - trap any exits, which are due to errors and call "$0 init" to bring system to a secure state - make rules work, which disable SYN/ACK checking - A slight cosmetic bugfix - Debug output to console is directed to STDERR instead of STDOUT to aviod problems with parameters and functions - removed usage of Is_client - SSH is allowed during init stage and exit-on-fail (configurable via option Failsave_SSH; everything beside no means yes - enable global rules for SSH access in emergency situation - even having no such option will enable this feature) 0.9 --- - removed some code that finds external executables and replaced it with a small function (script is reduced by 100 lines of code and is a bit easier to maintain) - put loading of kernel modules into a function and loading it during startup - searching for external programs are now done in the pre-init() function - call pre-init() before kernel setups during startup - search for path of binaries modprobe and cat explicitly - disabled traceroute per default - added some small sanity checks for external given values - some log output changed 0.8 --- - fixed small cosmetic error in displaying headline to ipfilter status - make a local server work: if $Server_IP in the config file was a local IP address, the filter blocked it, since the rules now must be applied vice versa to the chains (what is normally in the output chain is now set up in the input chain and the other way round) - it was screwed up due to the distiction between outbound traffic and inbound traffic - moved log() function to the top of the script to make it available to everyone - Started using CVS, thus variable Log is renamed to Logging - Major rewrite of the traffic shaper part to enable Traffic Shaping on a NAT Box, thus make the configuration stuff more general (ie. there is no uplink interface any more) CHECK SUPPLIED CONFIG SAMPLE FILE FOR NEW CONFIG OPTIONS IN TRAFFIC SHAPING AREA - Changed order of synack chain and stateful chain due to reduce load - Split chain for dropping without logging into two parts: initializing of chain (at the beginning of the setup of the filter) and integrating it into the default chains (at the end of the setup process) - added links to the chain for dropping without logging from synack-chain and stateful-chain - added automatic search of local IPv4 IP addresses for loop chain - if no interface lo is found, ERROR (removed it from the configuration file) - fixed the parsing of available queueing disciplines during destruction 0.7 --- - CHECK THE README FILE FOR SECTION COMMAND LINE! Because the usage concerning logging has changed slightly. - automated enabling/diabling of reverse path filtering based on deactivated/ activated TEQL - Changed priority of logging of a packet filter rule from crit to debug - Removed flag for inbound network queueing algos - it cannot be used (and was never) since we employ the ingress queue which has no support for algos (which of course would not make sence) - fixed a nasty error introduced with the splitting of chains: splitted chains were not flushed! Stupid me, I forgot to update the chain names in the flush commands! - introduced a log() function to ease the management of the logging output now you have the switches -e for enabling echo, -s for enabling syslog, -b for enabling echo and syslog; if no switch is given, no output will be given (everything will be logged to echo and syslog - regardless the options - if the serverity is warning or crit) - Licence of GPL version 2 is still used, but if someone want to have it outside the GPL - just tell me and we will discuss it (see header of shaper.queues). 0.6 --- - added init phase: clearing all queues and chains, set netfilter policy to DROP this phase should be called before any interface is up - modified filering: now rules intended for outbound only belong to OUTPUT or FORWARD chain rules intended for inbound only belong to INPUT or FORWARD chain thus making the filter faster and it avoids unused rules - switched from if test ... to if [ ... ] - dropping all in nolog chain immediately before everything else - Check, if tcp_syncookies is available 0.5 --- - fixed debug logging - Added masquerading on the external interface if you already used the previous version of the script just add Do_masq=yes to your /etc/shaper.conf if you do not add it, it is disabled Take care, you must enable Is_router, otherwise it will not work! - Removed ICMP limiting via TC, since it is not needed - Changed parsing in status_iptables() (patch by "Dieter Braetz" ) - Changed default location of config file to /usr/local/etc 0.4 --- - cleanup of script - fixed some minor bugs - disabled ICMP limiting, since it blocks echo 0.3 --- - Removed last remaining $i_Link_if - small bugfix in status_ip() - bugfix in detecting binaries of tc, ip and iptables 0.2 --- - Bugfix of usage of Synack chain - Limit inbound traffic with ingress queueing discipline so no more fiddling with an internal interface neccessary and this is usable for relays and client/servers - added control whether this box is a relay (forward chain is used) or a client/server (input and output chains are used) Relay: system connects networks and traffic passed which is not for this box (traffic is forwarded) Client/Server: system initiates or is destination for traffic You can enable both, but take care: all rules will apply for both forwarding and local! - several small bugfixes 0.1 --- - initial release