91 lines
3.2 KiB
Plaintext
91 lines
3.2 KiB
Plaintext
|
What's new in IPFilter 4.1
|
||
|
==========================
|
||
|
(Well, compared to 3.*, anyway)
|
||
|
In no particular order, except headline alphabetical:
|
||
|
|
||
|
Administration:
|
||
|
- Run-time support for modifying ipf table size parameters.
|
||
|
- Run-time support for tuning other ipfilter parameters.
|
||
|
|
||
|
Content Scanning:
|
||
|
- Simple matching of content for TCP session startup.
|
||
|
|
||
|
Firewall Synchronising:
|
||
|
- Master/slave programs available.
|
||
|
|
||
|
General:
|
||
|
- All input files allow simple 'marco' definitions and expansion,
|
||
|
including nesting.
|
||
|
- Code has been rototilled to make maintenance and enhancements
|
||
|
eaiser for me and you.
|
||
|
- More configuration files and binaries.
|
||
|
- Takes up more memory.
|
||
|
- Probably slower.
|
||
|
- Versioned API to support changes in the ABI without breaking
|
||
|
existing binaries (4.0 onward only.)
|
||
|
- IP-Filter framework in place for handling multiple different
|
||
|
types of packet matching for firewalling.
|
||
|
- IP Id number rewriting available.
|
||
|
- Verification of checksums for recognised packet types.
|
||
|
- Optionally enable/disable IP forwarding when enabled/disabled.
|
||
|
|
||
|
IPF:
|
||
|
- BPF syntax available for matching packets in ipf rules (1).
|
||
|
- Can convert IPv4 ipf rules into C code and either:
|
||
|
* load them as an LKM o;
|
||
|
* compile them statically into the kernel (where possible.)
|
||
|
- Address pools allow for simpler rules covering large numbers of
|
||
|
addresses/networks (IPv4 only).
|
||
|
- Lookup functions available to map an IPv4 address to a group.
|
||
|
- Groups can be referenced by multiple heads for subroutine-like use.
|
||
|
- NAT/ipf rules can refer to each other via a tag, creating an implied
|
||
|
join that forms part of the packet matching.
|
||
|
- Extra packet attributes available for filter rules:
|
||
|
* source address/routing interface mismatch;
|
||
|
* multicast (3);
|
||
|
* broadcast (2,3);
|
||
|
* state lookup partially failed;
|
||
|
* out of the TCP window for a state connection;
|
||
|
* NAT lookup partially failed.
|
||
|
- PPS (packets per second) matching available for ipf rules.
|
||
|
- Rule collections (cf FreeBSD numbering) supported for ipf rules.
|
||
|
- Groups can now be names rather than just numbers
|
||
|
|
||
|
IPV6:
|
||
|
- understands extension headers.
|
||
|
- can filter on extension headers.
|
||
|
|
||
|
Logging:
|
||
|
- ipmon now comes with a configuration file for more advanced logging
|
||
|
behaviour.
|
||
|
- Can append arbitrary logging tags with ipf rules for easy matching.
|
||
|
|
||
|
NAT:
|
||
|
- "sticky" mapping available to ensure an address translation on
|
||
|
a per-address basis is always the same (while known) for a set
|
||
|
IP address.
|
||
|
|
||
|
Operating System Support:
|
||
|
- HP-UX 11 added.
|
||
|
- Tru64 5.1a added.
|
||
|
- Solaris/HP-UX now use pfil STREAMS module.
|
||
|
- Linux 2.4 on the way.
|
||
|
|
||
|
Proxies:
|
||
|
- PPTP proxy added.
|
||
|
- IRC proxy added.
|
||
|
- RPCBIND proxy added.
|
||
|
- FTP proxy support for EPSV (IPv4 only.)
|
||
|
|
||
|
Stateful Inspection:
|
||
|
- Can insist that all TCP data arrives in order.
|
||
|
- Can insist that all fragments pass through in order.
|
||
|
- The number of states created per-rule can be set where the total
|
||
|
across all rules may exceed the maximum allowed.
|
||
|
- Can elect not to automatically match ICMP error packets.
|
||
|
- TCP sequence number rewriting supported.
|
||
|
|
||
|
(1) - Requires libpcap for rule parsing
|
||
|
(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
|
||
|
(3) - Not supported on SunOS4
|