Darren Reed
2012-01-29 19:44:49 UTC
After what seems like an eternity, I've finally uploaded version
IPFilter 5.1.1.
There are no patch files for against 5.1.0 or 4.1.35 as they'd be
too large to
have any meaning.
Building and testing has been primarily done on Solaris 10 and
NetBSD 5.99, with no panics or crashes from regular activity.
It should also compile and load up fine on FreeBSD as well.
Someone asked about Illumos earlier in the week - when I last
tried building there, I ran into some problems that seem related
to bugs in their header files.
Why should you replace version 4 with 5?
At the user interface level, obscure error messages should now be
a thing of the past when dealing with the kernel module. There are
still likely to be obscure messages when parsing configuration
files or in other areas, but that will be taken care of in time too.
If you build IPFilter with "COMPAT_IPFILTER" defined in the top
level Makefile, it will be possible to use ipf/ipnat from earlier
versions of IPFilter to load a configuration but use of ipfstat
and ipnat to display rules and statistics will run into trouble.
In terms of basic features, ipnat now supports IPv6 and with new
"rewrite" rules, both the source and destination address can be
replaced using a single NAT rule. In addition, "divert" and
"encap" rules have been added for experimentation.
See the new man page ipnat(5) for more details.
For ipf, it is now possible to use a filter rule group for filtering
of ICMP packets associated with existing state entries using the
"icmp-head" option with "keep state". Additionally, it is now
possible to restrict the number of individual networks or hosts
that have associated state entries, preventing a single source from
dominating the state table. Version 5 also introduces a compeltely
new type of rule to ipf.conf - "decapsulate". These rules make it
possible to tell IPFilter to "remove" the headers at the front of a
packet and process the contents as a new packet. In the short term,
the primary application of this is to allow firewalls that are not
a tunnel end point to filter on the traffic inside the tunnel where
the traffic is not encrypted. See ipf.conf(5) for more details.
The logging application, ipmon, can now be given a configuration
file that allows for log entries to be stored in different files,
delivered via syslog or via SNMP traps. See ipmon(5) for more
details.
http://coombs.anu.edu.au/~avalon/ip_fil5.1.1.tar.gz
MD5 (ip_fil5.1.1.tar.gz) = e9d51c6e58f549c4ab499254c81c90d2
Darren
IPFilter 5.1.1.
There are no patch files for against 5.1.0 or 4.1.35 as they'd be
too large to
have any meaning.
Building and testing has been primarily done on Solaris 10 and
NetBSD 5.99, with no panics or crashes from regular activity.
It should also compile and load up fine on FreeBSD as well.
Someone asked about Illumos earlier in the week - when I last
tried building there, I ran into some problems that seem related
to bugs in their header files.
Why should you replace version 4 with 5?
At the user interface level, obscure error messages should now be
a thing of the past when dealing with the kernel module. There are
still likely to be obscure messages when parsing configuration
files or in other areas, but that will be taken care of in time too.
If you build IPFilter with "COMPAT_IPFILTER" defined in the top
level Makefile, it will be possible to use ipf/ipnat from earlier
versions of IPFilter to load a configuration but use of ipfstat
and ipnat to display rules and statistics will run into trouble.
In terms of basic features, ipnat now supports IPv6 and with new
"rewrite" rules, both the source and destination address can be
replaced using a single NAT rule. In addition, "divert" and
"encap" rules have been added for experimentation.
See the new man page ipnat(5) for more details.
For ipf, it is now possible to use a filter rule group for filtering
of ICMP packets associated with existing state entries using the
"icmp-head" option with "keep state". Additionally, it is now
possible to restrict the number of individual networks or hosts
that have associated state entries, preventing a single source from
dominating the state table. Version 5 also introduces a compeltely
new type of rule to ipf.conf - "decapsulate". These rules make it
possible to tell IPFilter to "remove" the headers at the front of a
packet and process the contents as a new packet. In the short term,
the primary application of this is to allow firewalls that are not
a tunnel end point to filter on the traffic inside the tunnel where
the traffic is not encrypted. See ipf.conf(5) for more details.
The logging application, ipmon, can now be given a configuration
file that allows for log entries to be stored in different files,
delivered via syslog or via SNMP traps. See ipmon(5) for more
details.
http://coombs.anu.edu.au/~avalon/ip_fil5.1.1.tar.gz
MD5 (ip_fil5.1.1.tar.gz) = e9d51c6e58f549c4ab499254c81c90d2
Darren