v2.8 * added version check for proper TOS variable set (thanks Damaged) * added gshield.pump (script by D. Munroe) to tools * removed useless UDP opening for SMTP * check_interface function disabled by default * folded in services.rules fixes * folded in C. Gielen's patch for port-range forwarding * added misc-patch by Harold van Oostrom - runtime option for -b blocks everything by default - support for remote transparent proxy * added windows terminal service (RDP) forwarding * typo fix in routables/routables.conf * added chkconfig parameters * added support for string filtering specific to HTTP * SMTP proxy support * added stronger regex for sourcing (thanks K. Root) * added PPTP options (thanks D. Powell) with restrictive options * multicast fixes / addresses moved to seperate file (thanks P. Starrenburg) * close netfilter flaw (unfiltered ICMP packets) * support for IRC connection tracking v2.7.1 * service ports now hard-wired in * increase port-range (marking) for Q3A servers (thanks S. Youngs) * typo fix for BIND_HOST * typo fixes for rFTP and rTraceroutes (thanks Nilsson/Bayer) * added network patch for proper mask calculations by Marcos Tadeu * misc service cleanup * TOS disabled by default (iptables 1.2.3 oddity) * logging facility defaults to numeric (resolves iptables 1.2.3 oddity) v2.7 * misc routable fixes (thanks J. Aitti) * gforward.pl updated * internal forwarding mechanism (thanks J. Benson) * added portscan detection options v2.6.9 * added option for QUEUE target * UNCLEAN toggle * adjusted domain service to handle brain-dead service listings v2.6.8 * changed GRE to numeric protocol to accomodate brain-dead distros * added smarter "broadcast" drops to reduce log verbosity * typo bugfix in kernel-options (thanks R. Goers) * extended highport_access logic (thanks A. Huffman) * added icmp_ignore_bogus_error kernel option (thanks R. Goers) * added return options for auth regardless of default policy (thanks R. Goers) v2.6.7 * added sanity loop for several kernel options * bugfix for tcp/sshd in routables.rules (thanks C. Graham) * added blocked_addresses to conf/ * added GRE-specific logging * added nntp/sshd TOS/QOS suggestions (thanks W. Torres) * updated gforward.pl w/ option to use external file v2.6.6 * added configurable options for UDP responses * added nice version logic (thanks phantoo) * bugfixes for routables/DMZ (thanks M. McCallister) * folded in sections of contributed patch by S. Youngs * added ICMP/traceroute options for routables/DMZ * added verbosity to routable startup * added toggle for QoS marking * added toggle for SNAT/MASQUERADE * added proper copyright and license file * cleaned up directories (added docs and tools subdir) v2.6.5 * gforward.pl now included (for setting up generic portforwards) * added QoS marking for typical game ports, irc * gShield.conf reorganized * added "error" documentation for common errors * misc cleanups (added restart runtime) v2.6.4 * bugfix for hosts.deny logic * BLACKLIST defaults to normal * toggle for locking down possible netbios leaks * removal of a few bashisms (thanks J. Breton) v2.6.3 * toggle for ICMP logging * error checking for UNCLEAN match * SYSLOG option defaults to false * bugfix for loopback interface * misc documentation updates v2.6.2 * option for TCPMSS fix for borked PPPoE * folded in TOS mangles for PREROUTE * primitive packet marking for PREROUTE * option for ICMP_ECHOREPLY_RATE * sanity check for ICMP_ECHOREPLY_RATE * fix for non-English LANG env (thanks mtanguy) v2.6.1 * folded in syslog function (thanks hburgiss) * moved conf/time_servers to gShield.conf * support for running out of init.d/ * option to auto-blacklist "ALL"-prefixed addresses in hosts.deny * run-time blacklist option can add to hosts.deny * documentation additions to cover hosts.deny use * cleaned up logging-prefixes v2.6 * Configuration file format change * ALL supported services are forwardable * reserved drops now specific to external interface * user-defined rules easily added (see gShield.conf) * script even less verbose/color crap removed v2.5.1 * improved logic for run-time option detection * bug-fix for syncookies * added generic peer to peer framework * p2p client port-forwarding v2.5 * added configuration kernel options for icmp_echo_ignore_broadcasts * added configuration kernel options for tcp_timestamps * syncookies now disabled by default * bugfix for run-time client-add option * misc documentation additions v2.4 * added security comments concerning recent iptables ftp issue. * run-time options: add blacklist, highport access, client access, flush. * NOLOG automatically deals with broadcast addresses (drop/nolog). * added kernel ip-sysctl options to main configuration * added additional usage notes to cover run-time options v2.3 * ifconfig now defined as a variable * reordered blacklist/NAT chain ordering (thanks Hurley) * folded in multi-homed logic based on diff by Duebbert * fixed outgoing typos (thanks Duebbert) * fixed protocol typo for HTTPS (thanks Faurot) * misc comment fixes / updated gShield.conf v2.2 * behavior when dropping packets now configurable * support for forwarding imap-ssl * toned down startup verbosity v2.1 * cleaned up reserved_address (was causing some issues) * added auto-configuration logic for DNS servers * added option to log INVALID state drops * added framework for outgoing filters * added blocked_outgoing to enable outgoing filtering * added no_log option for specific ports v2.0.4 * added toggle for traceroutes * added logging-level option * re-ordered CLOSED port chain * added "flush" option * folded in additional reserved blocks v2.0.3 * fixed typo for https entry * fixed typo for FW_ROOT in routables (thanks V. Hodges) * added forwarding for ssh * blacklist logging now a toggle * added toggle for "default logging" v2.0.2 * added option to not log reserved drops * added common multicast addresses to conf/reserved_addresses * enhanced DHCP logging * removed redundant reserved chain * removed redundant NAT entry * common public services now use /etc/services to determine port * added options for bind/domain forwarding * highport_access should now deal with passive FTP * highport blocking is now a toggle * added transparent proxy options v2.0.1 * added DNS chain to ease readability * moved DMZ rule entrace lower in filtering * cleaned up logging output (no logging smb broadcasts) * added conf/open_ports for user-defined open ports v2.0.0 * initial conversion to iptables * support for multiple NATs * routable support and protection * support for DMZ'd machines * sane limits for default drops, incoming icmp * MAC address filtering for administrative machines * configurable public service access * configurable client access * integrated port-forwarding * stateful tracking