[Firewall] Firewall version 1.9.2l (stable) available for download - IMPORTANT SECURITY UPDATE!

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Wed Aug 25 14:46:39 CEST 2010


Hi all,

A new minor release of my firewall is available, version 1.9.2l. It has 
some small tweaks & fixes, but the most important one is a fix for a 
major security issue concerning machines which are reachable via IPv6 
(from the internet) but are using the firewall in IPv4 mode. These 
machines were previously fully "open" via IPv6. There are probably not 
an awful lot of machines out there that are vulnerable to this issue, 
but it's a serious issue nevertheless.

You can grab it from:
http://rocky.eld.leidenuniv.nl/arno-iptables-firewall/arno-iptables-firewall_1.9.2l.tar.gz

CHANGELOG:

Version 1.9.2l (August 25, 2010)
--------------------------------
* Slightly safer check on whether we have IPv6 on the system we're running
! IPv6 detection failed due to our systctl wrapper function being to 
verbose. This caused IPv6 to always be "open" on systems having IPv6 
connectivity (Debug bug #594326, thanks to Tim Small for reporting this)
* From now on explicitly set all variables for sysctl wildcard variables 
(like "net.ipv4.conf.*.rp_filter") since newer kernels handle those 
differently now (Thanks to Klemen Mihevc)
+ The "Blocked Host" feature adds the BLOCK_HOSTS_BIDIRECTIONAL option 
to specify whether hosts are blocked both Inbound and Outbound (default) 
or Inbound only. (Thanks Philip)
* Don't masquerade IPv6/proto 41 (thanks Klemen Mihevc)
* Use unset IFS only for actual rules
* Re-added local IFS in environment
+ Added option to enable/disable antispoofing for internal/dmz nets
! Don't "unset IFS" immediately after "local IFS" declaration in 
functions, this breaks older shells
+ Added option to enable/disable IGMP logging
! Modprobe didn't work properly for old modprobe/distros when modules 
were compiled in-kernel
+ Configure option to allow user to enable full access for the external 
subnet
+ Implemented EXT_BROADCAST_CHAIN


Njoy!

Arno


-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl













































 From - Thu





More information about the Firewall mailing list