==================================================================== F I R E | G A T E Copyright 2002-2003 Jeff Bonner (lunar@xrs.net) ==================================================================== REVISION HISTORY ________________ Please check the download sites to make sure you have the latest revision. Important fixes, additions and changes may occur with new releases. v0.64: Removed unneeded ReAIM proxy rules (IM client rules remain) v0.65: Added -t mangle & -t nat rule flushing upon "./firegate stop" v0.66: Added HTTP/SMTP forwarding through firewall to internal server v0.67: Added NoIdent (reject w/TCP reset) or Ident (nullidentd) option v0.68: Added section-purpose separators, and cleaned up all comments v0.69: Added direct-from-internet SSH option (disabled by default) v0.70: Began documenting script changes via Revision History :) v0.71: Blocked in/out port 445; fixed TCP/UDP types for 137-139 (SMB) v0.72: Blocked UDP inbound to ports 0:19 (was only TCP previously) v0.73: Fixed blacklist so it drops any inbound forwarded traffic too v0.74: Added to and clarified comments. More trojan blocks. Portscan & badflag check now performed only on external interface. Can now have multiple DHCP servers. Added variables to turn on/off SSH and IDENT; define the external/internal interface names; and for internal HTTP & SMTP machine IPs. Changed specific inbound port blocking to be on external interface only (would have kept some internal services from working). v0.75: Fixed bug in DHCP define loop (introduced in v0.74); corrected DNS comments; added usage/installation instructions to INSTALL files; included LICENSE file for full GPL compliance; MD5 sum now included on website to verify authenticity. v0.76: Added comments & more addresses to block private/reserved space. Added OUTPUT block for blacklist sites. Added LAN address range to restrict sNAT/masquerade. If no IPs are specified for HTTP or SMTP, port forward via PREROUTING is now disabled, plus attempts are not logged. Can now specify AIM, ICQ and MSN ports to use for file transfers; if not defined, PREROUTING rule(s) disabled. Added Gnutella P2P client forwarding option (port can be changed for KaZaA etc, remove line 248). Removed unused ICMP rule name. Fixed problem with null values causing "unary operator expected" error, and a nasty surprise upon 'stop' command that would cause loss of connectivity if using only SSH with no monitor/keyboard. v0.77: Added to and clarified comments. Additional ICMP messages are now allowed in for more compliant servers; response to external ping can be turned off with PING variable. If/Then/Else logic surrounded by quotes for more reliable operation. Added variable QUIET to suppress logging of commonly scanned ports; it affects SSH/HTTP/SMTP as well, if these aren't in use. Added variable WEBPORT for users whose ISPs block standard incoming HTTP port 80; adjust if needed. Changed spaces to tabs for 2K savings. v0.78: Added TCP/UDP port 135 to ignored ports. Added Gnutella ignore @ line 249 (disabled by default). Added/clarified more comments. Attempt to allow streaming camera apps like iVista. Added new variable "DROPEXT", default is true; if false, ./firegate stop does NOT drop all external traffic (keeps you from being locked out if using remote SSH, similar to 0.76 fix for local SSH). Added FAQ file and list of kernel modules needed for script. v0.79: Added to and clarified comments. Added TCP 4444 outbound block to deal with W32.Blaster worm and variants; note that tFTP (UDP port 69) could also be blocked by FIRE|GATE for maximum effect, but currently is not. Fixed bug (introduced in v0.78): when CAM/CAMIP variables were null, a script error appeared. Added indicators showing FIRE|GATE's progress, and variable COLOR to use ANSI when displaying (re)start/stop/status messages. When DHCP variable is blank, script allows any DHCP server traffic inbound; if DNS variable is blank, all DNS traffic is allowed inbound (previous behavior dropped traffic, which can generate substantial PACKET DROP logs). Confirmed list of kernel modules needed now, and those which are optional and/or for future use.