2225 lines
53 KiB
HTML
2225 lines
53 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>ChangeLOG </TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Linux IP Masquerade HOWTO"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="UP"
|
||
|
TITLE="Miscellaneous"
|
||
|
HREF="c3199.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="Reference "
|
||
|
HREF="references.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="SECT1"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
SUMMARY="Header navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Linux IP Masquerade HOWTO</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="references.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
>Chapter 8. Miscellaneous</TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
> </TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="SECT1"
|
||
|
><H1
|
||
|
CLASS="SECT1"
|
||
|
><A
|
||
|
NAME="CHANGELOG"
|
||
|
></A
|
||
|
>8.5. ChangeLOG</H1
|
||
|
><P
|
||
|
>TO do - HOWTO:
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Add the scripted IPMASQADM example to the Forwarders section. Also confirm
|
||
|
the syntax.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Add a little section on having multiple subnets behind a MASQ server</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Confirm the IPCHAINS ruleset and make sure it is consistant with the IPFWADM
|
||
|
ruleset</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>TO DO - WWW page:
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Update the PPTP patch on the masq site</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Update the portfw FTP patch</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 05/22/05 to 11/13/05
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/13/05 - Fix a bug where the PORTFW example rule in section 6.7 was
|
||
|
incorrect. Updated the IPTABLES PORTFW section to include state tracking
|
||
|
for the pre-routing rule, added a cross-reference to the PORTFW FAQ entry,
|
||
|
and reduced some duplicate PORTFW examples in different chapters of the HOWTO.
|
||
|
Thanks to Thomas Zajic for bringing this to my attention.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 10/23/05 - Updated the dynamic IP FAQ section to give complete examples
|
||
|
on how to re-run the rc.firewall-* scripts for various different DHCP clients
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 10/19/05 - Updated the HOWTO to be very clear on loading the various
|
||
|
rc.firewall-* rulesets (there are 6 of them in this HOWTO both simple and
|
||
|
stronger versions for IPTABLES, IPCHAINS, and IPFWADM) files vs. loading a
|
||
|
generic rc.firewall file. I also updated the troubleshooting section to
|
||
|
reflect this possibly confusing point.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/27/05 - Updated the Multiple NAT situation to include ProxyARP solutions
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/26/05 - Clarified the section for IPMASQ on multiple internal LAN segments
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 05/03/05 to 05/22/05
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/22/05 - Updated the rc.firewall-iptables-stronger ruleset to 0.87s.
|
||
|
Removed the unused drop-and-logit chain as it was only later being deleted
|
||
|
anyway. Thanks to Matthew Concannon for this one.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/21/05 - Updated the Multiple-IPs FAQ entry a bit
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 04/17/05 to 05/03/05
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/03/05 - Updated the rc.firewall-iptables-stronger ruleset to fix a typo
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 03/19/04 to 04/17/05
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 04/30/05 - Updated the IP address for unc.metalab.org and published the
|
||
|
HOWTO to the web.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 12/18/04 - Added some comments in the IPTABLES, IPCHAINS, and IPFWADM
|
||
|
rulesets why the default policy is ACCEPT and not something like DROP.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 07/24/04: Renamed the rc.firewall-2.4/2.2/2.0-* rulesets to
|
||
|
rc.firewall-iptables/ipchains/ipfwadm-*. This change better reflects that
|
||
|
these rulesets can run on different kernel versions (such as 2.6.x). Updated
|
||
|
the rc.firewall-iptables-stronger ruleset to 0.85s to fix an improper /24
|
||
|
netmask for the INTIP variable.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 04/10/04: Updated the rc.firewall-2.4-stronger ruleset to use the 192.16.0.x
|
||
|
network instead of 192.168.1.x network to better align with the rest of the
|
||
|
HOWTO
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 04/04/04: Added that Redhat9 supports IPMASQ
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 11/10/03 to 03/18/04
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 03/18/04: Added a sub-section for supporting multiple internal networks for
|
||
|
IPTABLES
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 02/02/04: Updated some old jhardin rubyriver to impsec.org URLs
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/10/04: Updated the rc.firewall-2.4-stronger and 2.2 rulesets to make
|
||
|
placement of PORTFW configs more obvious
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files
|
||
|
be executable. Fixed. Thanks to Chris Carter and others for the nudge.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files
|
||
|
be executable. Fixed. Thanks to Chris Carter and others for the nudge.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/01/04: Added an additional chkconfig check on Redhat systems to make sure
|
||
|
that the firewall will load upon init level change. Thanks to Chris Carter
|
||
|
for the idea.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 12/19/03: Updated the rc.firewall-2.4-stronger ruleset to 0.82. This
|
||
|
new ruleset has a special ICMP filter to work around a Netfilter bug.
|
||
|
Also, the drop-and-log-it chain has been renamed to reject-and-log-it
|
||
|
since that's actually what it's doing. Thanks to Bart Martens for the
|
||
|
recommendations.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 12/13/03: Fixed some minor grammar issues. Thanks to Lawrence Berlinsk
|
||
|
for pointing them out.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/30/03: Updated the rc.firewall-2.4-stronger ruleset to 0.81s, the
|
||
|
rc-firewall-2.2-stronger ruleset to 0.72s, and updated the
|
||
|
rc.firewall-2.0-stronger ruleset to 0.72s (never had a version # before).
|
||
|
These changes reflect either the ruleset not having strong enough comments
|
||
|
or allowing all traffic destined to the MASQ server itself from being
|
||
|
protected. It's recommend that if you want to enable access to servers running
|
||
|
on the MASQ server itself (http, ssh, etc.), selectively enable them under the
|
||
|
OPTIONAL INPUT section.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/03/03: Updated the rc.firewall-2.2-stronger ruleset where an INTLAN rule
|
||
|
that was allowing traffic from ANY IP address instead of the proper INTIP IP
|
||
|
address only. This aligns the IPCHAINS ruleset with the IPTABLES and IPFWADM
|
||
|
ruleset examples
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/10/03: Deleted all kernelnotes.org URLS (juanjox URLs)
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 06/22/03 to 11/09/03
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 10/25/03: Fixed a dead RFC1918 URL in section 3.3. Thanks to Mark Sobell for the report.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 07/07/03: Added the "reducing-masq-log" FAQ entry to help people reduce the
|
||
|
size of their firewall logs.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/27/03: Updated the rc.firewall-2.4-stronger ruleset to 0.80s. Added a
|
||
|
DISABLED ip_nat_irc kernel module section, changed the default of the
|
||
|
ip_conntrack_irc to NOT load by default, and added additional kernel module
|
||
|
comments.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/27/03: Updated the rc.firewall-2.4 ruleset to 0.75. Added additional
|
||
|
iptables kernel module comments.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/24/03: Added Debian 3.0 to the supported distro list
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/23/03: Change the PMTU URLs to point to Phil's primary www site
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 05/26/03 to 06/22/03
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/22/03: Updated the various Indyramp MASQ email URLs again as things seemed
|
||
|
to have changed. Again.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/21/03: Rewrote the MTU FAQ section to be more clear, include specific
|
||
|
information of the problems, and also fixed a bad typo for PPPoE users who
|
||
|
were trying to configure "--clamp-mss-to-mtu" when it should have been
|
||
|
"--clamp-mss-to-pmtu" (missing the p in pmtu).
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/13/03: Added kernel info for Mandrake 8.1
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/02/03: Fixed a typo where extended 2.2.x kernel checks for IPMASQ
|
||
|
functionality was using "cat" and not "ls"
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 04/08/03 to 05/26/03
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/26/03: updated the firewall rulesets: rc.firewall-2.4 (to 0.74),
|
||
|
rc.firewall-2.2 (to 1.22), rc.firewall-2.4-stronger (to 0.79s), and
|
||
|
rc.firewall-2.2-strongerw (to 0.71s) to use modprobe instead of insmod.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/26/03: Added how to dump IPTABLES MASQ entries in the Accounting FAQ
|
||
|
section
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/26/03: Added Clamp-MSS recommendations to the MTU faq section
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/26/03: Added additional troubleshooting steps in Section 5 when the MASQ
|
||
|
client cannot ping the MASQ server.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/26/03: Added additional traffic shaping / traffic limiter URLs to the
|
||
|
SHAPING FAQ entry
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/26/03: Renamed the "IPROUTE2" FAQ entry to "Souce Routing"; Added IPTABLES
|
||
|
examples to the section; fixed an incorrect IP address of 62123.123.123.123
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/25/03: Fixed a SGML script that was improperly converting ampersands
|
||
|
for the downloadable firewall-* and rc.firewall-* scripts. Also caught a
|
||
|
SGML ampersand bug in a comment section of the rc.firewall-2.0 file
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/25/03: Deleted several dead links: ftp.gts.cz, novell.com LWP5,
|
||
|
Old Juanjox mirror (geocities), old ipmasq2.webhop.net URL,
|
||
|
old zzdmacka NAT information URL, old linux.org/uk/VERSION url,
|
||
|
old netfilter.samba.org URLs (no longer a netfilter mirror - redirect),
|
||
|
old Activision BattleZone DLL url, old iproute2 (rpms, ras.ru, donlug,
|
||
|
dontsk, tusur, waaug, etc.) urls, old rlynch ipautofw mirror
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/25/03: Updated several URLs: suse/proxy_suite/, www.indyramp.net URLs,
|
||
|
several urls with " ~ " in it became ~732 for some reason,
|
||
|
updated all of the jhardin URls to point from wolfnet.com to impsec.org,
|
||
|
updated all LDP urls (linuxdoc.org to tldp.org), IPCHAINS patches for 2.0.x
|
||
|
kernels, metalab to tldp.org, winfiles.com to download.com,
|
||
|
Microsoft technet article 172227, Oidentd, mumford LooseUDP URL,
|
||
|
2.2.x PORT-FTP URL, IRQTUNE url, midentd URL
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/25/03: Pending updates from remote webmasters: Indyramp EQL URL,
|
||
|
insecurity.net sidentd
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/25/03: Lots of little updates like:: updated the Intro section verbage a
|
||
|
little to reflect BETA kernels and not OLD kernels; Updated the Forward
|
||
|
section (not PORTFW) to be a little more generic; Added a link in the Forward
|
||
|
to the IPMASQ email list; Updated the dates in the copyright notice;
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Updated the "Current Status" to add the remark that some
|
||
|
programs have been updated to use NAT-friendly protocols and thus special
|
||
|
NAT modules are no longer required
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Updated the 2.4 Requirements section: deleted a duplicate line
|
||
|
(true 1:1 NAT); cleaned some addition things up; Added CuSeeme to the 2.4
|
||
|
ported list
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Updated the 2.2 / 2.0 Requirements section: Deleted the reference
|
||
|
to the obsoltele IPMASQ ICQ module; Updated the link for the LooseUDP URL;
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Updated the Compiling Linux 2.2.x / 2.0.x section: Deleted the
|
||
|
recommendations to load the rc.firewall ruleset via rc.local. This should
|
||
|
come later in the HOWTO and offer other methods for different Linux
|
||
|
distributions
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Updated the ICQ Application section to say that these steps are
|
||
|
/not/ required for modern ICQ clients. I've left this section in the HOWTO
|
||
|
to demonstrate a large PORTFW example
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Made some of the FAQ entries more kernel version generic and also
|
||
|
deleted the 2.0.x "upgrades-cont.html" FAQ entry as it was basically a
|
||
|
duplicate
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Updated the LooseUDP game section to explain how it works,
|
||
|
explain how much of this was properly solved under the stateful IPTABLES
|
||
|
systtem, and also say that it is NOT available for the 2.4.x kernels.
|
||
|
If IPTABLES's stateful UDP tracking doesn't work for, you're probably out
|
||
|
of luck.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Mentioned in the FAQ section that MASQ timers are NOT adjustable
|
||
|
under IPTABLES
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/24/03: Vastly expanded the packet firewall log FAQ entry and finally added
|
||
|
a IPTABLES packet log description section. I also aligned the IPCHAINS
|
||
|
example to match the IPFWADM entry
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 04/11/03: Fixed a incorrect echo statement saying the IPTABLES policy was
|
||
|
being set to REJECT and not DROP.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 01/31/03 to 04/08/03
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 04/08/03: Added additional formatting and the "ip_masquerade" /proc entry
|
||
|
into Section 3.2. This helps users determine if their kernel is MASQ-ready.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 03/08/03: Added the EXTIP variable to the 2.4.x PORTFW example as several
|
||
|
people were trying to use this with the BASIC ruleset and I had assumed they
|
||
|
were using the STRONGER ruleset. Thanks to Greg Lukins for bringing this
|
||
|
to my attention.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 03/08/03: Added Distros to the MASQ compatibility list: Mandrake, Gentoo
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 02/08/03: Forgot to update the VERSION number for the
|
||
|
rc.firewall-2.4-stronger rulese. Added some additional formatting
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 02/01/03: Added additional checking in the kernel compiling section to
|
||
|
understand if your kernel supports IPMASQ via modules or by being statically
|
||
|
compiled in.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 01/12/03 to 01/31/03
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/31/03: Doh. I should have read my own comments. I've reversed the
|
||
|
2.4.x. policy settings from REJECT back to DROP. REJECT, for some lame
|
||
|
reason, is not a legal policy. The recommended REJECT action is still
|
||
|
carried out via the "drop-and-log-it" user chain.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/30/03: Updated the Multiple-IPs FAQ entry to better describe how users
|
||
|
that want to put external IPs behind a Linux router. Added additional URLs
|
||
|
and cleaned up the text a bit too.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/30/03: Updated the 2.4.x requirement section to reflect more of the pros
|
||
|
of IPTABLES as well as updated the update status of some old legacy 2.2.x
|
||
|
modules
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/30/03: Added an additional FAQ entry that clearly explains what the
|
||
|
ipchains.o module can and CANNOT do on 2.4.x. kernels
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/28/03: Extensively updated the 2.4.x kernel compilation section to reflect
|
||
|
a 2.4.20 kernel with IPTABLES 1.2.7a. The section also reflects the new
|
||
|
methods to compile IPTABLES, apply Patch-O-Matic patches, and also included
|
||
|
lots of example output too.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/28/03: Updated the kernel compiling section to be a little more clear on how
|
||
|
different Linux distros can have different kernels (modules vs. monolithic)
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/17/03: Fixed a major issue where the rc.firewall-2.2-stronger ruleset
|
||
|
was referencing missing executable variables. This was taken from the
|
||
|
2.4-stronger ruleset but I guess I forgot to finish it off. Fixed.
|
||
|
Thanks to Samuel Kim for catching this!
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/17/03: Fixed an issue where the rc.firewall-2.2-stronger's commented
|
||
|
HTTP section was missing the "-p tcp" option.
|
||
|
Thanks to Samuel Kim for catching this!
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/16/03: Updated the URL for DJSF's ICQ module
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/16/03: Changed the default policy and drop chain from DENY to REJECT
|
||
|
on both IPTABLES rulesets and on the advanced IPFWADM rulset.
|
||
|
Thanks to Jonathan Hutchins for bringing this to my attention.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/16/03: Fixed a typo in the commented out HTTPd OUTPUT section of the
|
||
|
rc.firewall-2.2-s ruleset
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/13/03: Updated the IPMASQ www site URL from ipmasq.cjb.net to
|
||
|
ipmasq.webhop.net. CJB started to change their policies so we switched.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/13/03: Added to the 2.4.x Requirements section that IPTABLES v1.2.7a is
|
||
|
out and recommended.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/13/03: Added an additional test item to the "Test Section - Section 5" for
|
||
|
versions of IPTABLES that are too old. I also cleaned up this section to read
|
||
|
easier.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/13/03: Updated the rc.firewall-2.4-stronger ruleset to include commented
|
||
|
rules to allow in HTTP traffic to a local HTTP server. Also added a rule
|
||
|
comment in the FORWARD section to help users know where to put PORTFW commands.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/13/03: Updated the rc.firewall-2.2-stronger ruleset to include commented
|
||
|
rules to allow in HTTP traffic to a local HTTP server. Also added a rule
|
||
|
comment in the FORWARD section to help users know where to put PORTFW commands.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/13/03: Clarified the PORTFW section to help users better understand where
|
||
|
the PORTFW commands should go in the rc.firewall rulesets. I also cleaned up
|
||
|
this section to read a little better.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 12/13/02 to 01/12/03
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/03/03: Added Redhat 7.3 and 8.0 to the compatibility chart.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/03/03: Fixed various typos. Thanks to Gabriel Withington for the sharp
|
||
|
eye.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 12/22/02: Updated the 2.2.x H.323 kernel patch URL. Thanks to Maxime Plante
|
||
|
for pointing this out.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 12/22/02: Updated the 2.4.x kernel compiling section to let users know that
|
||
|
most modern kernels don't need IPTABLES Patch-o-matic patches to be applied
|
||
|
except to fix bugs or add additional functionality.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 10/20/02 to 12/13/02
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/27/02: Fixed the init.d scripts to point the header to the correct config
|
||
|
file. This must be due to newer versions of "chkconfig" doing better checking.
|
||
|
Please note that this might still be a problem for the rc.firewall-2.?-stronger
|
||
|
rulesets. Thanks to Joris Van Puyenbroeck for the heads up.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/25/02: Updated all the firewall comments to reflect that PPPoE users need to
|
||
|
user the "ppp0" logical interface as their external interface instead of the
|
||
|
physical interface such as "eth0". Thanks to Meng Cheah for the nudge.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/13/02: Updated the URL for the Donald Becker based NIC drivers. Thanks to
|
||
|
Bruce Gorgon for the heads up.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/01/02: Added a new FAQ section that covers redirection of local INTERNAL
|
||
|
traffic to internal PORTFWed servers
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 11/01/02: Updated the PORTFW section to be a little more clear.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 04/19/02 to 10/20/02
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/29/02: Fixed a stray incorrect IP address pointing to metalab.unc.edu
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 08/29/02: Fixed a typo in the firewall-2.2 startup script which
|
||
|
was starting the 2.4 firewall and not the 2.2. version.
|
||
|
Thanks to Jean-Marc Vanel for catching this.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 08/25/02: Updated the rc.firewall-2.2-stronger and rc.firewall-2.2
|
||
|
scripts to use shell environment variables.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 07/09/02: Updated the FTP PORTFW section to be more readible
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 07/06/02: Replaced all the filewatcher.org URLs with netfilter.org
|
||
|
URLs
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/12/02: Changed some of the formatting to try and help newbies
|
||
|
better understand that the "\" character is used as a continuation
|
||
|
of the previous line.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/12/02: Updated the IP address of metalab.unc.edu in Section 5.
|
||
|
Thanks to Pete Trachy for bringing this to my attention but please note
|
||
|
that even major sites like Metalab change their IPs, subnets, or even
|
||
|
ISPs from time to time.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 06/02/02: Updated the rc.firewall-2.4 ruleset to include a commented
|
||
|
option for NATing IRC DCCs, added the use of more environment vars, and
|
||
|
added additional formatting.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/18/02: Added some extra # lines the commented section of the the
|
||
|
rc.firewall-2.4-stronger ruleset to better serve Cut and Paste users.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/04/02: - Updated the various PPTP MASQ links to point to a valid URL.
|
||
|
Also updated the HOWTO to reflect that PPTP is now supported on the 2.4.x
|
||
|
kernels.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 05/03/02: - Updated the 2.4.x kernel requirements section to point out
|
||
|
that IPCHAINS compatibility under 2.4.x kernels isn't very good. If you
|
||
|
want to use IPMASQ under a 2.4.x kernel, you should use IPTABLES rules only.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 01/05/02 to 04/19/02 - v2.00.041902 pubsished to the LDP
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 04/01/02: - Updated the rc.firewall-2.4-stronger ruleset to denote
|
||
|
and disable internal DHCP server support on the OUTPUT rules
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 02/09/02: - Added Redhat-style init.d scripts to start the
|
||
|
rc.firewall files
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 02/09/02: - Updated all the various chapters to use human readable
|
||
|
file names vs. things like x2623.html.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 02/09/02: - Expanded the IPMASQ accounting section
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 02/04/02: - Deleted an extra "$" from the PORTFW variable in section
|
||
|
6.7.1
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/31/02: - Updated the URLs for the PPPd and Diald homepages
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/26/02: - Fixed some typos and added a LooseUDP clarification to tell
|
||
|
users to read the example rc.firewall-2.2 ruleset comments on how to enable
|
||
|
LooseUDP.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 01/08/02: - Made some slight clarifications to IP Alias support
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 11/19/01 to 01/05/02 - 010502 pubsished to the LDP
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>01/05/02: - Added disabled rules to the rc.firewall-2.4-stronger
|
||
|
ruleset to support INTERNAL DHCP server and EXTERNAL access to a WWW server
|
||
|
running on the MASQ machine.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>01/05/02: - Added required changes to the loading of the
|
||
|
ip_conntrack_ftp module if people PORTFW to non-standard FTP ports.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>01/05/02: - Added an example in the 2.4.x PORTFW section on
|
||
|
how to REDIRECT internal traffic back to an INTERNAL server. This is
|
||
|
the same as running REDIR under 2.2.x and 2.0.x kernels.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>01/05/02: - Added Juanjox mirror URLs to the HOWTO.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>01/04/02: - Clarified and cleaned up the ICQ PORTFW section; Added
|
||
|
thoughts on the ip_masq_icq, PORTFW, and SOCKS solutions
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>01/05/02: - Added Slackware 8.0 to the supported list.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>01/04/02: - Fixed some spelling mistakes in the 2.4 and 2.2
|
||
|
rulesets. Thanks to Michael Ott for the sharp eye.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>12/19/01: - Fixed a minor comment typo in the rc.firewall-2.4
|
||
|
file. Thanks to Bruno Negrao for this one.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>12/02/01: - Fixed some minor version typos in the 2.4.x rc.firewall
|
||
|
ruleset; Added a missing $PORTFWIF variable for the 2.4.x PORTFW example.
|
||
|
Thanks to Neil Bunn for the errata.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>11/25/01: - Expanded on the ipchains module conflict error messages
|
||
|
in Section 5
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>11/23/01: - Updated the HOWTO to reflect a new PPTP kernel module
|
||
|
for the 2.4.x kernels
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>11/19/01: - Clarified the PPTP supports for 2.4.x kernels
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 08/26/01 to 11/18/01 - 111801 published to the LDP
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>11/12/01: - updated various comments to reflect new versions:linux 2.4.14,
|
||
|
iptables 1.2.4, and linux 2.2.20.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>11/12/01: - Added the rc.firewall-2.4-stronger ruleset to the HOWTO,
|
||
|
updated the 2.4.x kernel and IPTABLES compiling steps to
|
||
|
reflect 2.4.14 and 1.2.4.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>11/10/01: - Added the directly downloadable versions of the 2.4,
|
||
|
2.4-stronger, 2.2, 2.2-stronger, 2.0, and and 2.0.x-stronger
|
||
|
rulesets to the WWW.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>11/10/01: - Updated the 2.4.x PORTW example to add the missing
|
||
|
FORWARD option.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>11/10/01: - Updated the DSL-HOWTO link in the HOWTO
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>10/27/01: - Updated the network diagram in section 2.5 to be a little
|
||
|
more verbose.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/18/01: - Fixed some broken reference links pointing to the respective
|
||
|
2.4.x, 2.2.x, and 2.0.x kernel compiling recommendations.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/16/01: - Cleaned up and updated the PORTFW section to also include
|
||
|
PREROUTING examples for 2.4.x kernels.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/13/01: - Updated the IPTABLES simple rc.firewall ruleset to 0.62.
|
||
|
This fixed a typo on the MASQ enable line that used eth0
|
||
|
instead of $EXTIF.
|
||
|
Thanks to Hafi for reporting this.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/07/01: - It seems that most people who are getting IPCHAINS and IPTABLES
|
||
|
conflicts are running Redhat 7.1. I have updated section
|
||
|
5 on how to fix this. Thanks to Jason Wenzel for helping me
|
||
|
with this.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/07/01: - Noted that IPTABLES v1.2.3 is current version. All versions
|
||
|
less than v1.2.3 have an FTP module bug that can bypass strong
|
||
|
firewall rulesets. Please upgrade your copy of IPTABLES now.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/07/01: - Created version numbers for the simple rc.firewall rulesets
|
||
|
(IPTABLES - v0.61) (IPCHAINS - v1.01) (IPFWADM - v2.01). and
|
||
|
cleaned up some of the comments in each section.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/07/01: - Added rules to the simple rc.firewall rulesets to flush the
|
||
|
various tables. In addition to this, I have added the use
|
||
|
of environment variables and more echo statements in the
|
||
|
rulesets to make things easier to edit and monitor.
|
||
|
Thanks to Ian Bishop for the good idea.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/07/01: - Added the use of EXTIF and INTIF interface variables in each of
|
||
|
the rc.firewall and partial firewall rulesets for better
|
||
|
clarity (similar to how TrinityOS has been doing for a while
|
||
|
now). Thanks to Sean McKeon for the nudge.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 09/07/01: - Fixed a typo in the UNIX client configuration section where the
|
||
|
network broadcast was 192.168.0.25 instead of .255.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 2.01 to 2.05 - 08/26/01
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 08/19/01: - Added an additional testing step in Section5 to make sure the
|
||
|
rc.firewall file loads ok. Thanks to Steven Levis for the good idea.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 08/15/01: - Change the reference for the /etc/hosts file from RFC952 to
|
||
|
RFC1035. Thanks to Michael F. Maggard for the correction.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.96 to 2.01 - 08/12/01
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 08/12/01: - Updated the basic IPTABLES ruleset to 0.60 which fixed a major
|
||
|
issue where all MASQed packets were being dropped. Ultimately,
|
||
|
I forgot to add a rule to ACCEPT correct packets through the
|
||
|
forwarding chain.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> - Added an additional rule to log all bogus FORWARD packets
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> - Load the FTP nat modules now by default
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> - Changed the load order of some of the kernel modules to not
|
||
|
create bogus error messages
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> - Added an IPTABLES section on how to MASQ specific hosts vs. an
|
||
|
entire subnet
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> - Added more MASQ-client compatible operating systems
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
>
|
||
|
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> 07/19/01: - The advanced IPCHAINS example for forwarding between multiple
|
||
|
interfaces was missing the critital "-j ACCEPT" to actually let
|
||
|
the packets flow.
|
||
|
Thanks to Shingo Yamaguchi for catching this.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
>
|
||
|
|
||
|
|
||
|
Changes from 1.96 to 2.00 - 06/10/01
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>06/21/01: Updated Section 5 (Testing Section) to add an additional test to
|
||
|
help users troubleshoot their MASQ setup. There are now a total
|
||
|
of -11- tests.
|
||
|
|
||
|
06/16/01: Updated the intro History section at the beginning of the HOWTO.
|
||
|
|
||
|
06/14/01: Added mirror Netfilter and IPCHAINs mirror URLs
|
||
|
|
||
|
06/13/01: Updated the H.323 URL</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>06/10/01:
|
||
|
|
||
|
Double DOH! The simple rc.firewall script for the 2.4 kernels had
|
||
|
two major errors in it. The new version is far more informative
|
||
|
and even works!
|
||
|
|
||
|
I am continuing to go through the HOWTO and cleaning things up
|
||
|
but I'm not done quite yet.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>06/02/01:
|
||
|
|
||
|
Updated the lists of known compatible MASQ'ed operating systems
|
||
|
(Windows M3, Linux 2.3, 2.4, etc)
|
||
|
|
||
|
Made more references to DHCP and DNS in the various different MASQ client
|
||
|
configuration guides.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> 04/12/01:
|
||
|
|
||
|
Thanks to the Joshua X and the other people at Command Prompt, Inc.
|
||
|
for the port of the HOWTO from LinuxDoc to DocBook.
|
||
|
|
||
|
Add email list URL to line 126</P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
><P
|
||
|
>Changes from 1.90 to 1.95 - 11/11/00
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> A BIG thanks to the Joshua X and the other people at Command Prompt, Inc.
|
||
|
for the port of the HOWTO from LinuxDoc to DocBook.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a quick upfront notice in the intro that running a SINGLE NIC in MASQ
|
||
|
mutliple ethernet segments is NOT recommended and linked to the relivant FAQ
|
||
|
entry. Thanks to Daniel Chudnov for helping the HOWTO be more clear.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a pointer in the Intro section to the FAQ section for users looking for
|
||
|
how MASQ is different from NAT and Proxy services.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Reordered the Kernel requirements sections to be 2.2.x, 2.4.x, 2.0.x</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Expanded the kernel testing in Section 3 to see if a given kernel already
|
||
|
supports MASQ or not.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Reversed the order of the displayed simple MASQ ruleset examples (2.2.x and 2.0.x)</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Cleaned up some formatting issues in the 2.0.x and 2.2.x rc.firewall files</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Noted in the 2.2.x rc.firewall that the defrag option is gone in some distro's
|
||
|
proc (Debian, TurboLinux, etc)</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a NOTE #3 to the rc.firewall scripts to include instructions for Pump.
|
||
|
Thanks to Ross Johnson for this one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Cleaned up the simple MASQ ruleset examples for both the 2.2.x and 2.2.x
|
||
|
kernels</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the simple and stronger IPCHAINS and IPFWADM rulesets to include the
|
||
|
external interface names (IPCHAINS is -i; IPFWADM is -W) to avoid some internal
|
||
|
traffic MASQing issues.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Vastly expanded the Section 5 (testing) with even more testing steps with added
|
||
|
complete examples of what the output of the testing commands should look like. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Moved the H.323 application documentation from NOT supported to Supported. :-)</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Reordered the Multiple LAN section examples (2.2.x then 2.0.x)</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Made some additional clarifications to the Multiple LAN examples</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a critical typo with multiple NIC MASQing where the network examples had
|
||
|
the specified networks reversed. Thanks to Matt Goheen for catching this. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a little intro to MFW in the PORTFW section.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Reveresed the 2.0.x and 2.2.x sections for PORTFW</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the news regarding PORTFWing FTP traffic for 2.2.x kernels
|
||
|
|
||
|
<TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="90%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="PROGRAMLISTING"
|
||
|
> NOTE: At this time, there *IS* a BETA level IP_MASQ_FTP module
|
||
|
for PORT Forwarding FTP connections 2.2.x kernels which also supports
|
||
|
adding additional PORTFW FTP ports on the fly without the requirement
|
||
|
of unloading and reloading the IP_MASQ_FTP module and thus breaking
|
||
|
any existing FTP transfers.
|
||
|
</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a top level note about PORTFWed FTP support</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a noted to the 2.0.x PORTFW'ed FTP example why users DON'T need to PORTFW
|
||
|
port 20.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the PORTFW section to also mention that users can use FTP proxy
|
||
|
applications like the one from SuSe to support PORTFWed FTP-like
|
||
|
functionality. Thanks to Stephen Graham for this one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the example for how to enable PORTFWed FTP to also include required
|
||
|
configurations on how the ip_masq_ftp module is loaded for users who use
|
||
|
multiple PORTs to contact multiple internal FTP servers. Thanks to Bob Britton
|
||
|
for reminding me about this one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a FAQ entry for users who have embedded ^Ms in their rc.firewall
|
||
|
file</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Expanded the FAQ entry talking about how MASQ is different from NAT and Proxy
|
||
|
to include some informative URLs.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the explanation of the MASQ MTU issue and described the two main
|
||
|
explanations for the issue.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Clarified that the RFC, PPPoE should only require an MTU of 1492 though some
|
||
|
ISPs require a setting of 1460. Because of this, I have updated the example
|
||
|
to show an MTU of 1492. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Broke out the Windows 9x sections into Win95 and Win98 as they use different
|
||
|
settings (DWORD vs. STRING). I also updated the sections to be clearer and the
|
||
|
Registry backup methods have been updated. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a typo where the NT 4.0 Registry entries were backwards
|
||
|
(Tcpip/Parameters vs. Parameters/Tcpip). </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed an issue where the WinNT entry should have been a DWORD and not a
|
||
|
STRING.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>A serious thanks goes out to Geoff Mottram for his various PPPoE and various
|
||
|
Windows Registry entry fixes.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added an explict URL for Oident in the IRC FAQ entry</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the FAQ section regarding some broken "netstat" versions</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added new FAQ sections for MASQ accounting ideas and traffic shaping</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Expanded the IPROUTE2 FAQ entry on what Policy-routing is.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Moved the IPROUTE2 URLs to the 2.2.x Kernel requirements section and also added
|
||
|
a few more URLs as well.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Corrected the "intnet" varible in the stronger IPCHAINS ruleset to reflect the
|
||
|
192.168.0.0 network to be consistent with the rest of the example. Thanks to
|
||
|
Ross Johnson for this one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a new FAQ section for users asking about forwarding problems between
|
||
|
multiple internal MASQed LANs.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a new FAQ section about users wanting to PORTFW all ports from multiple
|
||
|
external IP addresses to internal ones. I also touched on users who were trying
|
||
|
to PORTFW all ports on multiple IP ALIASed interfaces and also noted the
|
||
|
Bridge+Firewall HOWTO for DSL and Cablemodem users who have multiple IPs in a
|
||
|
non-routed environment.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Mandrake 7.1, Mandrake 7.2, and Slackware 7.1 to the supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Redhat 7.0 to the MASQ supported distros. Thanks to Eugene Goldstein for
|
||
|
this one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a mathematical error in the "Maximum Throughput" calculation in the FAQ
|
||
|
section. Thanks to Joe White @ ip255@msn.com for this one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed the Windows9x MTU changes to be a STRING change and not a DWORD change
|
||
|
to the registry. Thanks to jmoore@sober.com for this one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the comments in the 2.0.x rc.firewall script to note that the ip_defrag
|
||
|
option is for both 2.0 and 2.2 kernels. Thanks to pumilia@est.it for this
|
||
|
clarification.</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.85 to 1.90 - 07/03/00
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the URL for TrinityOS to reflect its newest layout</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Caught a typo in the IPCHAINS rulesets where I was setting "ip_ip_always_defrag"
|
||
|
instead of "ip_always_defrag"</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>The URL to Taro Fukunaga was invaild since it was using "mail:" instead of
|
||
|
"mailto:"</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added some clarification to the "Masqing multiple internal interfaces" where
|
||
|
some users didn't understand why eth0 was referenced multiple times.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed another "space after the EXTIP variable" bug in the stronger IPCHAINS
|
||
|
section. I guess I missed one.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>In Test #7 of Section 5, I referred users to go back to step #4. That should
|
||
|
have been step #6.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the kernel versions that came with SuSe 5.2 and 6.0</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a typo (or vs. of) in Section 7.2</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Item #9 to the Testing MASQ section to refer users who are still haing
|
||
|
MASQ problems to read the MTU entry in the FAQ</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Improved the itemization in Section 5</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the IPCHAINS syntax to show the MASQ/FORWARD table. Before, it was
|
||
|
valid to run "ipchains -F -L" but now only "ipchains -M -L" works. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the LooseUDP documentation to reflect the new LooseUDP behavior in
|
||
|
2.2.16+ kernels. Before, it was always enabled, now, it defaults to OFF due
|
||
|
to a possible MASQed UDP port scanning vulnerability. I updated the BASIC and
|
||
|
SEMI-STRONG IPCHAINS rulesets to reflect this option.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the recommended 2.2.x kernel to be 2.2.16+ since there is a TCP root
|
||
|
exploit vulnerability on all lesser versions.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Redhat 6.2 to the MASQ supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the link for Sonny Parlin's FWCONFIG to point to fBuilder.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the various examples of IP addresses from 111.222.333.444 to be
|
||
|
111.222.121.212 and within a valid IP address range</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the URL for the BETA H.323 MASQ module</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Finally updated the MTU FAQ section to help out PPPoE DSL and Cablemodem users.
|
||
|
Basically, <A
|
||
|
HREF="mtu-issues.html"
|
||
|
>Section 7.15</A
|
||
|
> now reflects the fact that users can
|
||
|
also change the MTU settings of all of their INTERNAL machines to solve the
|
||
|
dreaded MASQ MTU issue. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a clarification to the PORTFW section that PORTFWed connections which
|
||
|
work for EXTERNAL clients but will not work for INTERNAL clients. If you also
|
||
|
need INTERNAL portfw, you will need to also implement the REDIR tool as well.
|
||
|
I also noted that this issue is fixed in the 2.4.x kernels with Netfilter.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>I also added a technical explanation from Juanjo to the end of the PORTFW
|
||
|
section to why this senario doesn't work properly.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated all of the IPCHAINS URLs to point to Paul Rusty's new site at
|
||
|
http://www.netfilter.org/ipchains/</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated Paul Rustys email address</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a new FAQ section for users whose connections remain idle for a long
|
||
|
period of time and PORTFWed connections no longer work. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated all the URLs to the LDP that pointed to metalab.unc.edu to the new
|
||
|
site of linuxdoc.org</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the Netfilter URLs to point to renamed HOWTOs, etc.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>I also updated the status of the 2.4.x support to note that I *will* add full
|
||
|
Netfilter support to this HOWTO and if the time comes, then split that support
|
||
|
off into a different HOWTO.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the 2.4.x Requirements section to reflect how NetFilter has changed
|
||
|
compared to IPFWADM and IPCHAINS and gave a PROs/CONs list of new features and
|
||
|
changes to old behaviors.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a TCP/IP math example to the "My MASQ connection is slow" FAQ entry to
|
||
|
better explain what a user should expect performance wise.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the HOWTO to reflect that newer versions of the "pump" DHCP client now
|
||
|
can run scripts upon bringup, lease renew, etc.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the PORTFWing of FTP to reflect that several users say they can
|
||
|
successfully forward FTP traffic to internal machines without the need of a
|
||
|
special ip_masq_ftp module. I have made the HOWTO reflect that users should
|
||
|
try it without the modified module first and then move to the patch if required.</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.82 to 1.85 - 05/29/00
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Ambrose Au's name has been taken off the title page as David Ranch has been
|
||
|
the primary maintainer for the HOWTO for over a year. Ambrose will still be
|
||
|
involved with the WWW site though.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Deleted a stray SPACE in section 6.4</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Re-ordered the compatible MASQ'ed OS section and added instructions for
|
||
|
setting up a AS/400 system running on OS/400. Thanks to jaco@libero.it for
|
||
|
the notes.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added an additional PORFW-FTP patch URL for FTP access if HTTP access fails.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the kernel versions for Redhat 5.1 & 6.1 in the FAQ</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added FloppyFW to the list of MASQ-enabled Linux distros</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed an issue in the Stronger IPFWADM rule set where there were spaces between
|
||
|
"ppp_ip" and the "=".</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>In the kernel compiling section for 2.2.x kernels, I removed the reference to
|
||
|
enable "CONFIG_IP_ALWAYS_DEFRAG". This option was removed from the compiling
|
||
|
section and enabled by default with MASQ enabled in 2.2.12.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Because of the above change in the kernel behavior, I added the enabling of
|
||
|
ip_always_defrag to all the rc.firewall examples.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the status of support for H.323. There are now ALPHA versions of
|
||
|
modules to support H.323 on both 2.0.x and 2.2.x kernels.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Debian v2.2 to the supported MASQ distributions list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a long standing issue where the section that covered explict filtering
|
||
|
of IP addresses for IPCHAINS had old IPFWADM syntax. I've also cleaned this
|
||
|
section up a little and made it understandable.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Doh! Added Juan Ciarlante's URL to the important MASQ resources section.
|
||
|
Man.. you guys need to make me more honest than this!!</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the HOWTO to reflect kernels 2.0.38 and 2.2.15</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Reversed the order shown to compile kernels to show 2.2.x kernels first as
|
||
|
2.0.x is getting pretty old.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the 2.2.x kernel compiling section to reflect the changed options
|
||
|
for the latter 2.2.x kernels.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a a possible solution for users that fail to get past MASQ test #5.</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.81 to 1.82 - 01/22/00
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a missing subsection for /proc/sys/net/ipv4/ip_dynaddr in the stronger
|
||
|
IPCHAINS ruleset. Section 6.5</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Changed the IP Masq support for Debian 2.1 to YES</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Reorganized and updated the "Masq is slow" FAQ section to include fixing
|
||
|
Ethernet speed and duplex issues.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a link to Donald Becker's MII utilities for Ethernet NIC cards</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a missing ")" for the 2.2.x section (previously fixed it only for the
|
||
|
2.0.x version) to the ICQ portfw script and changed the evaluation from -lt
|
||
|
to -le</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Caldera eServer v2.3 to the MASQ supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Mandrake 6.0, 6.1, 7.0 to the MASQ supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Slackware v7.0 to the MASQ supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Redhat 6.1 to the MASQ supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added TurboLinux 4.0 Lite to the MASQ supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added SuSe 6.3 to the MASQ supported list</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the recommended stable 2.2.x kernel to be anything newer than 2.2.11</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>In section 3.3, the HOWTO forgot how to tell the user how to load the
|
||
|
/etc/rc.d/rc.firewall upon each reboot. This has now been covered for Redhat
|
||
|
(and Redhat-based distros) and Slackware.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added clarification in the Windows WFWG v3.x and NT setup sections why users
|
||
|
should NOT configure the DHCP, WINS, and Forwarding options.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a FAQ section on how to fix FTP problems with MASQed machines.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a typo in the Stronger firewall rulesets. The "extip" variabl cannot
|
||
|
have the SPACE between the variable name and the "=" sign. Thanks to
|
||
|
johnh@mdscomp.com for the sharp eye.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the compatibly section: Mandrake 7.0 is based on 2.2.14 and TurboLinux
|
||
|
v6.0 runs 2.2.12</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.80 to 1.81 - 01/09/00
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the ICQ section to reflect that the new ICQ Masq module supports file
|
||
|
transfer and real-time chat. The 2.0.x module still has those limitations.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated Steven E. Grevemeyer's email address. He is the maintainer of the
|
||
|
IP Masq Applications page.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a few lines that were missing the work AREN'T for the "setsockopt" errors.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated a error the strong IPCHAINS ruleset where it was using the variable
|
||
|
name "ppp_ip" instead of "extip".</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a "." vs a "?" typo in section 3.3.1 in the DHCP comment section.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a missing ")" to the ICQ portfw script and changed the evaluation from
|
||
|
-lt to -le</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the Quake Module syntax to NOT use the "ports=" verbage</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.79 to 1.80 - 12/26/99
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a space typo when setting the "ppp_ip" address. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a typo in the simple IPCHAINS ruleset. "deny" to "DENY"</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the URLs for Bjorn's "modutils" for Linux</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added verbage about NetFilter and IPTables and gave URLs until it is added
|
||
|
to this HOWTO or a different HOWTO.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the simple /etc/rc.d/rc.firewall examples to notify users about the
|
||
|
old Quake module bug.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the STRONG IPFWADM /etc/rc.d/rc.firewall to clarify users about dynamic
|
||
|
IP addresses (PPP & DHCP), newer DHCPCD syntax, and the old Quake module
|
||
|
bug.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the STRONG IPCHAINS /etc/rc.d/rc.firewall to ADD a missing section on
|
||
|
dynamic IP addresses (PPP & DHCP) and the old Quake module bug.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a note in the "Applications that DO NOT work" section that there IS a
|
||
|
beta module for Microsoft NetMeeting (H.323 based) v2.x on 2.0.x kernels. There
|
||
|
is NO versions available for Netmeeting 3.x and/or 2.2.x kernels as of yet.</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.78 to 1.79 - 10/21/99
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the HOWTO name to reflect that it isn't a MINI anymore!</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.77 to 1.78 - 8/24/99
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a typo in "Section 6.6 - Multiple Internal Networks" where the -a policy
|
||
|
was ommited.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Deleted the 2.2.x kernel configure option "Drop source routed frames" since it is now enabled by default and the kernel compile option was removed.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the 2.2.x and all other IPCHAINS sections to notify users of the IPCHAINS fragmentation bug.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated all of the URLs pointing at Lee Nevo's old IP Masq Applications page
|
||
|
to Seg's new page.</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.76 to 1.77 - 7/26/99
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a typo in the Port fowarding section that used "ipmasqadm ipportfw -C"
|
||
|
instead of "ipmasqadm portfw -f"</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.75 to 1.76 - 7/19/99
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the "ipfwadm: setsockopt failed: Protocol not available" message in the
|
||
|
FAQ to be clearer instead of making the user hunt for the answer in the Forwarders
|
||
|
section.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed incorrect syntax in section 6.7 for IPMASQADM and "portfw"</P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
><P
|
||
|
>Changes from 1.72 to 1.75 - 6/19/99
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed the quake module port setup order for the weak IPFWADM & IPCHAINS
|
||
|
ruleset and the strong IPFWADM ruleset as well.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a user report about port forwarding ICQ 4000 directly in and using ICQ's
|
||
|
default settings WITHOUT enabling the "Non-Sock" proxy setup.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the URLs for the IPMASQADM tool</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added references to Taro Fukunaga, tarozax@earthlink.net for his MkLinux port
|
||
|
of the HOWTO</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the blurb about Sonny Parlin's FWCONFIG tool to note new IPCHAINS
|
||
|
support</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Noted that Fred Vile's patch for portfw'ed FTP access is ONLY available for the
|
||
|
2.0.x kernels</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the 2.2.x kernel step with a few clarifications on the Experiemental tag </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Glen Lamb's name to the credits for the LooseUDP patch</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a clarification on installing the LooseUDP patch that it should use "cat"
|
||
|
for non-compressed patches.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed a typo in the IPAUTO FAQ section</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>I had the DHCP client port numbers reversed for the IPFWADM and IPCHAINS
|
||
|
rulesets. The order I had was if your Linux server was a DHCP SERVER.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added explict /sbin path to all weak and strong ruleset examples.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Made some clarifications in the strong IPFWADM section regarding Dynamic IP
|
||
|
addresses for PPP and DHCP users. I also noted that the strong rulesets should
|
||
|
be re-run when PPP comes up or when a DHCP lease is renewed.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added references in the 2.2.x requirements, updated the ICQ FAQ section, and
|
||
|
added Andrew Deryabin to the credits section for his ICQ MASQ module.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added some clarifcations to the FAQ section explaining why the 2.1.x and 2.2.x
|
||
|
kernels went to IPCHAINS.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a little FAQ section on Microsoft File/Print/Domain services (Samba)
|
||
|
through a MASQ server. I also added an URL to a Microsoft Knowledge based
|
||
|
document for more details.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added clarifications to the FAQ section that NO Debian distribution supports IP
|
||
|
masq out of the box.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated the supported MASQ distributions in the FAQ section.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added to the Aliased NIC section of the FAQ that you CANNOT masq out of an
|
||
|
aliased interface.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Wow.. never caught this before but the "ppp-ip" variable in the strong ruleset
|
||
|
section is an invalid variable name! It has been renamed to "ppp_ip"</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>In both the IPFWADM and IPCHAINS simple ruleset setup areas, I had a commented
|
||
|
out section on enabling DHCP traffic. Problem is, it was below the final
|
||
|
reject line! Doh! I moved both up a section.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>In the simple IPCHAINS setup, the #d out line for DHCP users, I was using the
|
||
|
IPFWADM "-W" command instead of IPCHAINS's "-i" parameter.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> Added a little blurb to the Forwarders section the resolution to the famous
|
||
|
"ipfwadm: setsockopt failed: Protocol not available" error. This also includes
|
||
|
a little /proc test to let users confirm if IPPORTFW is enabled in the kernel.
|
||
|
I also added this error to a FAQ section for simple searching.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a Strong IPCHAINS ruleset to the HOWTO</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added a FAQ section explaining the "kernel: ip_masq_new(proto=UDP): no free ports." error.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added an example of scripting IPMASQADM PORTFW rules </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Updated a few of the Linux Documentation Project (LDP) URLs</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Added Quake III support in the module loading sections of all the rc.firewall
|
||
|
rulesets.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>Fixed the IPMASQADM forwards for ICQ</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.72 - 4/14/99 - Dranch: Added a large list of Windows NAT/Proxy alternatives
|
||
|
with rough pricing and URLs to the FAQ.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.71 - 4/13/99 - Dranch: Added IPCHAINS setups for multiple internal MASQed
|
||
|
networks. Changed the ICQ setup to use ICQ's default 60 second timeout and
|
||
|
changed IPFWADM/IPCHAINS timeout to 160 seconds. Updated the MASQ and MASQ-DEV
|
||
|
email list and archive subscription instructions.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.70 - 3/30/99 - Dranch: Added two new FAQ sections that cover SMTP/POP-3
|
||
|
timeout problems and how to masquerade multiple internal networks out onto
|
||
|
different external IP addresses with IPROUTE2.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.65 - 3/29/99 - Dranch: Typo fixes, clarifications of required 2.2.x kernel
|
||
|
options, added dynamic PPP IP address support to the strong firewall section,
|
||
|
additional quake II module ports, noted that the LooseUDP patch is built into
|
||
|
later 2.2.x kernels and its from Glenn Lamb and not Dan Kegel, added more game
|
||
|
info in the compatibility section. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.62 - Dranch: Make the final first-draft changes to the doc and now announce
|
||
|
it in the MASQ email list.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.61 - Dranch: Made editorial changes, cleaned things up and fixed some errors
|
||
|
in the Windows95 and NT setups.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.58 - Dranch: Addition of the port forwarding sections; LooseUDP setup; Ident
|
||
|
servers for IRC users, how to read firewall logs, deleted the CuSeeme Mini-HOWTO
|
||
|
since it is rarely used. </P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.55 - Dranch: Complete overhaul, feature and FAQ addition, and editing sweep
|
||
|
of the v1.50 HOWTO. Completed the 2.2.x kernel and IPCHAINS configurations.
|
||
|
Did a conversion from IPAUTOFW to IPPORTFW for the examples that applied.
|
||
|
Added many URLs to various other documentation and utility sites. There are so
|
||
|
many changes.. I hope everyone likes it. Final publishing of this new rev of
|
||
|
the HOWTO to the LDP project won't happen until the doc is looked over and
|
||
|
approved by the IP MASQ email list (then v2.00).</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.50 - Ambrose: A serious update to the HOWTO and the initial addition of the
|
||
|
2.2.0 and IPCHAINS configurations.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>1.20 - Ambrose: One of the more recent HOWTO versions that solely dealt with
|
||
|
< 2.0.x kernels and IPFWADM. </P
|
||
|
></LI
|
||
|
></UL
|
||
|
> </P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
SUMMARY="Footer navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="references.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
ACCESSKEY="H"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
> </TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>Reference</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="c3199.html"
|
||
|
ACCESSKEY="U"
|
||
|
>Up</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
> </TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|