linuxconf all changes logs

linuxconf all changes logs

Change log index

Version 1.15r0.1

Enhancements

firewall module working with ipchain (kernel 2.2)

This is preliminary. I have reworked the module so it either use the kernel 2.0 way or use the /sbin/ipchain utility. I did not use the ipchain-wrapper. I generate (each time) a script in /var/run/ipchain.sh and execute it. Check the output and test your firewall to make sure the behavior is unchanged.

I have notice one problem with forwarding rules. It seems that the semantic associated with the interface is different. Not sure. I have to check in the kernel code to understand what is happening here.

Again, check it out and retest carefully before committing your firewall to this new version.

Version 1.16r0.1

Enhancements

firewall status

You can now view the IP chains status from the status module.

Bug fixes

firewalling on kernel 2.2

There were glitches for inputing and outputting rules. Linuxconf was complaining that the kernel could not support those and was not trying to activate anything. Now things should be much better. Go for it and test it!

Version 1.16r7

Enhancements

Module firewall: various enhancements

The firewall module was modified somewhat. It is still compatible with earlier configuration (well, let me know if it is not :-) ). The work done is opening the door to many more enhancements, hopefully in a short future.

  • The dialog

    • New section

      The dialog has been reworked. It shows in graphic mode. I have added a section called features and moved some stuff from the top of the dialog there.

    • New comment field

      You can now add a single line comment explaining the purpose of a rule.

    • Ordering factor

      The module has an algorithm to order the rules and this works most of the time. It is based on the net-mask, the policy, the interface and so on. A new field called "ordering factor" has been added. This allows you to have a final say on the ordering. The default factor is 50. The is the primary criterion for ordering. Further, the rule list is ordered using this factor when it is displayed.

      In a short future, I will add a concept of pre-cooked solutions for fire-walling and this ordering factor will be used to allow mixing of "generated" and "manual" rules.

    • Bidirectional rules

      By default, Linuxconf generates two IP-chain rules (or more sometime) for each rule entered in Linuxconf. It generates a rule "from -> to" and a rule "to -> from".

      A new check-box (on by default) limit this behavior. When disabled Linuxconf only generates "from -> to".

    • Syn packet

      This feature is not implemented yet, but the dialog has now two new check-boxes. One in the "from" area and one in the "to" area. It controls whether TCP SYN packet are accepted. They have no effect currently.

    • Input interface and output interface

      An input rule deals with "input interface". The other rules (forward and output) deals with the "output interface". To differentiate those case, the field title change between input rules and the others.

  • Logical devices and hosts

    Firewall rules are sometime weak, because the exact interface or host IP number is not known. This is the case with PPP dialout and dialin: One will often use PPP0, guessing that it is the device which will be allocated. This is also the case with "per user" fire-walling.

    We are introducing the concept of logical interface and logical hosts. Where you normally enter a host IP or name you can now enter an logical host and the IP number will be lookup-ed into other Linuxconf modules. The same applies to interfaces.

    A logical host or interface is presented like this:

    module_key/value
    

    For example:

    dialout/configuration_name
    pppdialin/ppp_user_account
    

    The firewall module uses the FWINFO_API inter module API to get the information. If the information is not available then the rule is not generated and a message is entered in the log. Each participating module implements this API and supply the information. So far, the dialout and pppdialin module has been enhanced to support it.

    Note that this is the responsibility of those module to trigger the firewall module to install new rules (in the kernel). For example, when a dialout connection is established, the dialout module send a signal to the firewall module and it updates its rules. The dialout module has a check-box just for that.

    The new command lines were added also to allow a third party to enable the new rules.

  • New command line options

    There are the following:

    	linuxconf --modulemain firewall --resetfw
    	linuxconf --modulemain firewall --setfw
    

    The first disable all rules, the seconds enable the rules.

Version 1.16r8

Enhancements

Module firewall: More command lines

I have added two more command lines for this module:

  • --update

    This is equivalent to --setfw. It was added to make it more consistent with the rest.

  • --status

    This does the same as "linuxconf --status", but only for the firewall.

Bug fixes

firewalling on kernel 2.2

The implicit rules for the loopback were invalid. They were using the IP number of the device instead of the device name. Since kernel 2.2, only device names are accepted.

Version 1.16r9

Bug fixes

Module firewall; Not all rules were activated

The new firewall module in 1.16r7 had a glitch. Under many cases it will not enable a rule even if all condition were met.

Version 1.16r10

Enhancements

Module firewall: dealing with unknown interfaces

The module was not enabling rules using interface not currently running. It is now friendlier. Note that in many case, using logical device is preferred (dialout/config, pppdialin/account) and more reliable.

Bug fixes

Module firewall: status fixed

The status feature was not using ipchain properly.

Version 1.17r1

Enhancements

Module firewall: logging added

There is a new check-box for logging. Anytime the rule match, a message is generated by the kernel and ends up in a syslog (generally /var/log/messages). This is typically used with reject or deny rules.

Version 1.19

Enhancements

Module firewall: adding some masquerading modules

The firewall module allowed you to load various masquerading modules. Unfortunately, the list was uncompleted. Fixed!

Version 1.21r6

Enhancements

Module firewall: redirecting to internal hosts

The inputing rules have been enhanced so one can redirect form traffic and send it to some hosts. It is using the ip_masq_mfw kernel module. A new field was added to the form. Before, one could only intercept traffic and redirect it to some local service on the firewall. Now, the extra field allows you to redirect to another machine.

This should simplify the old "redir" setup since you do everything from the same dialog. It allows arbitrary traffic redirection, not just TCP. Check it out. Not tested much though.

Version 1.24

Enhancements

Module firewall. Logical devices and addresses

The firewall module already had the ability to query other modules to translate a logical name (key1/key2) into either an IP address (or interface address). This was used by the dialout,redhatppp and pppdialin modules. This is useful to establish firewall rules when the exact IP address is not known.

The fwinfo api was changed to accomodate a new module: userfirewall. Now a module may provide several IP/netmask for one query. The firewall module will generate one rule for each IP/netmask pair, as needed.

The userfirewall module will be announced shortly.

Version 1.24r5

Enhancements

Module firewall: port redirection to another host

The help screen has been enhanced and the functionality tested. You need the ipmasqadm utility to make use of that.

Version 1.25r5

Enhancements

Module firewall: various enhancement

First, the help screen has been reworked a lot. It has been kind of forgotten for too long.

Various enhancements were made to the module:

  • The ipchain module is loaded as needed on kernel 2.4.

  • You can specify any IP protocol, not just icmp, udp, and tcp. The list is taken from /etc/protocols (using getprotoent() in fact).

  • You can specify several entries in the "Host or network" field, separated with commas. This way, you can specify rules like "from : x,y,z to a,b,c". Before, you would have to specify nine different rules to covers all the combinations.

  • You can use the power of ipchain to map firewall rules to different chains. This can speed up your firewall incredibly if you have a lots of rules (We have clocked 300megabits/second through a firewall with 130,000 rules, yeeehaaaa).

    This new facility allows you to map a given rule by interface,protocol,source,source port, destination, destination port. You can also map by source and destination sub-net. By specifying two mappings, Linuxconf will create all needed chains and generate the dispatch rules.

    This new feature is really useful for large firewall, and especially for users of the userfirewall module (which maps users and groups to firewall rules).

Also, not really an enhancement, but support for kernel 2.0 fire-walling was dropped.

Version 1.25r6

Enhancements

Module firewall: some enhancements

The help screen have been enhanced. Instead of a single one, there are 3 explaining more the context.

Negation is supported in the from and to field. You can enter addresses in the form

	!x.y.z.w

Still other negations are possible (on the protocol and interface) and will be added in future release.

The chain dispatch mechanism has been enhanced. A new check-box controls how the firewall rules are updated in the kernel. The default mode is to wipe the kernel rules and put new one in place. With the "update the kernel gracefully" check-box enabled, only the relevant chains are updates. This produces faster updates and avoid opening holes while the firewall is changing. This is necessary with the userfirewall module, which can change the firewall rules several times per minutes.

Version 1.25r7

Enhancements

Module firewall: various enhancements

You can use the ! character in various places to mean "not". You can use it in the protocol and from/to field as well as the interface field. You could use it in the "other ports" field.

Version 1.26r3

Bug fixes

Module firewall: protocol field

The protocol field was limited to 10 characters. Some entries in /etc/protocols are larger than that.

Version 1.27r4

Bug fixes

Module firewall: vlan devices

The module was doing some validation for network devices but was rejecting vlan devices (eth0.vlan_number). Fixed!

Version 1.27r5

Enhancements

Module firewall

GUI column sorting was applied to rule list.

A column named "redir" was added near the end. It contains an X if the rule is a redirection.

Version 1.29

Enhancements

Module firewall: iptable support

The module now output iptable commands instead of ipchains on kernel 2.4. No new capabilities were added to the module beside that. Firewalls built using Linuxconf and ipchains should work as before using iptables. There is one big difference though. iptables uses the INPUT, FORWARD and OUTPUT chains very differently.

  • ipchains always uses all the chains for any packet, except when the packet originate from the machine.
  • iptables uses the FORWARD chain only for packet going through the machine. It uses the INPUT chains for packet targeted at the machine and it uses the OUTPUT chains for packet sent by the machine (not forwarded).
This may affect some router configuration for sure. Please review.

Now, if you do not have time to review this, there is a check-box in the feature section of the "firewall defaults" dialog. It is called "Use IP chains even on kernel 2.4"

Version 1.33

Enhancements

Module firewall: reporting error

When the module was applying firewall rules, it was sometime generating errors difficult to related to actual lines in the dialog. This is so because one configuration line may literally explode into many (with modules like userfirewall). Now the error message are easier to understand.

Version 1.33r2

Enhancements

firewall module: rule list

The policy has been add to the rule list. It is easier to find reject/accept rules now. With the new text mode sortable columns widget, it is even easier.