uruk 20120608.1-1 / usr / share / doc / uruk / NEWS

Uruk NEWS - user visible changes (and some other changes also.)

Refer to ChangeLog for detailed per-file info.

uruk version 20120608.1 - released October 25, 2012, for Debian "wheezy"

- uruk/script/uruk: Fix IPv6 firewalling in case uruk is used on a host (not
  transit) firewall by applying patch contributed by Thijs Kinkhorst: "Uruk
  implemented RFC 4890 section 4.3: Recommendations for ICMPv6 Transit
  Traffic. However uruk is used in some (many?) cases not as a transit firewall
  but as a host firewall for destination entities. Therefore, also the
  recommentations from section 4.4: Recommendations for ICMPv6 Local
  Configuration Traffic need to be added."


uruk version 20120608 - The Hooidonk Release

- uruk/script/uruk: No longer block, but allow ICMPv6 type 137 Redirect Message
  [RFC4861].  These are needed for Duplicate Address Detection in IPv6
  autoconfiguration: RFC 4429 says: "the router should [...] provide the ON
  with an ICMP Redirect, which may include a Target Link-Layer Address Option
  (TLLAO)."  Thanks Casper Gielen.
- uruk/init/uruk: Apply patch for uruk init script, in order to make sure
  uruk starts early enough in boot sequence:

   -# Required-Start:    $network $remote_fs
   -# Required-Stop:     $network $remote_fs
   +# Required-Start:    mountkernfs $local_fs
   +# Required-Stop:

   -# Default-Stop:      0 1 6
   +# Default-Stop:      0 6

   +# X-Start-Before: networking
   +# X-Stop-Before:

  contributed by Wessel Dankers.  Thanks!


uruk version 20120605 - The Pickensteeg Release

- configure.ac: no longer die if programs zoem, col and/or groff are not
  found.


uruk version 20120530

- uruk/script/uruk.in: icmpv6: DROP some.  Based upon suggestions found in
  rfc4890-icmpv6-firewall.sh.  A.o., the following ICMPv6 packets are now
  dropped by default: Redirect messages: redirect; Multicast Listener queries
  (MLDv1 and MLDv2): 130; Multicast Listener reports (MLDv1): 131; Multicast
  Listener Done messages (MLDv1): 132; Multicast Listener reports (MLDv2):
  143; Router renumbering messages: 138; and Node information queries (139)
  and replies (140): 139 140.
- uruk/doc/rfc4890-icmpv6-firewall.sh, uruk/doc/rfc4890.license.msg: ship
  example ICMP v6 script from RFC 4890, by Suresh Krishnan.  It is available
  under a BSD-style license.
- zoem no longer needed to build from this tarball: pretypeset documentation
  is shipped.
- we no longer rely upon expansion of BIN_PATH SBIN_PATH DATA_PATH SYSCONF_PATH
  LOCALSTATE_PATH using AC_DEFINE_DIR, as defined in GNU Autoconf Macro
  Archive's ac_define_dir.m4.  These are now hardcoded to /usr/bin, /usr/sbin,
  /var, /etc and /usr/share.  (Package autoconf-archive >= 20111221-1 (and
  possible also older ones) no longer ships ac_define_dir.  From changelog:
  2011-09-16 "AX_DEFINE_DIR: Obsolete: it doesn't comply with the GCS." See
  http://lists.gnu.org/archive/html/bug-autoconf/2011-09/msg00013.html for
  discussion.)


uruk version 20110831

- uruk/man/Makefile.am: assume zoem knows where to find aephea;
  get rid of hardcoded ZOEMSEARCHPATH=/usr/share/aephea.  You
  need zoem >= 11-166 to build this uruk.


uruk version 20110608

- The IPv6 Day release!  (Today is ISOC's World IPv6 Day, see
  http://www.worldipv6day.org/)
- Fix some more zoem >= 10-265-1 (cosmetic) issues.
- doc/default: examples now more useful: just uncomment the line to
  change behaviour. tnx Thijs Kinkhorst for sharing ideas.


uruk version 20110602

- bootstap: now builds with automake 1.11 (no longer 1.9)
- uruk/man/Makefile.am, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm,
  uruk/man/uruk.azm: converted manpages to zoem >= 10-265-1 + aephea >=
  10.008-1 format.
- script/uruk.in: behave more gracefully on suspicious rc file: issue
  a warning in case of undefined variable.  Thanks Wessel Dankers
  for bringing this up & supplying a first implementation.


uruk version 20110213

- init/uruk.in: Support for IPv6 packet filtering has been enabled by
  default.  It is no longer required to edit /etc/default/uruk to enable
  it: if you'd like to use IPv6 packet filtering, you now can remove any
  setting of enable_ipv6 in /etc/default/uruk.  If you'd prefer NOT to
  use IPv6 packet filtering, be sure your /etc/default/uruk has
  "enable_ipv6=false".


uruk version 20100831

- Fix example rc file: found out /sbin/ip6tables (as shipped with e.g. iptables
  1.4.8-2) understands both full and abbreviated IPv6 names, while the shipped
  /sbin/iptables understands full names only.  Thanks ﻢﻫﺪﻳ ﺎﻟﺩڤﻱ.


uruk version 20100823

- README: added upgrade instructions for releases <= 20100717.
- script/uruk.in: Update to new iptables syntax: Get rid of warning
  "Using intrapositioned negation (`--option ! this`) is deprecated in
  favor of extrapositioned (`! --option this`)."


uruk version 20100821

- script/uruk.in: fix bug introduced in version 20100820: uruk: 391: Syntax
  error: Unterminated quoted string


uruk version 20100820

- Enable support for IPv6 packet filtering.  See the README file for
  upgrade instructions.
  + script/uruk.in: ip6tables is now enabled in the uruk script by default.
    However, if you interact with uruk using the init script, you still have
    to add "enable_ipv6=true" to /etc/default/uruk to fully enable it.
  + man/uruk*.azm, doc/rc: manpages and example rc file updated to reflect
    IPv6-support is no longer considered experimental.
  + script/uruk.in: Drop unroutable IPv6 traffic.  Use connection tracking
    for IPv6.  Patch supplied by Casper Gielen.
- init/uruk.in: Fix bugs in support for dependency based boot sequencing
  + We want to start early in boot sequence (on entering runlevel S).  LSB
    init.d header however had "Default-Start: 2 3 5". Fix this to S.  Thanks
    Petter Reinholdtsen for the patch in http://bugs.debian.org/581659.
  + Furthermore, change Default-Stop: "0 6" to "0 1 6": no need to special
    case runlevel 1 (thanks Debian's lintian).
  + Finally, added "$remote_fs" to Required-Start: and Required-Stop: since
    obviously we need /usr/sbin/uruk to be available (thanks again Debian's
    lintian).
- Makefile.am, bootstrap: some tweaking of buildsystem.


uruk version 20100717

- The uruk code is no longer maintained using GNU Arch, but using the git
  version control system.
- Use IPv6 connection tracking if supported by kernel. Patch contributed by
  Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl>.


uruk version 20080330

- Make behaviour more robust when uruk loglevel is set between 20 and 40 and
  IPv6 is enabled.  In case not all IPv6 adresses were explicitly specified,
  uruk would give an error:
     ip6tables v1.3.6: Unknown arg `--destination'
     Try `ip6tables -h' or 'ip6tables --help' for more information.
  (it would try to run
     /sbin/ip6tables -A INPUT -j LOG --log-level debug --log-prefix
     'ip6tables: ' -i eth0 --destination
  in this situation.)   These errors these did NOT compromise the firewall
  rules, btw.  When adresses are missing, uruk does no longer try to log the
  traffic.


uruk version 20080307

- Fix a bug showing up when uruk loglevel is set between 20 and 40 and IPv6
  is enabled: it caused errors like "ip6tables v1.3.6: host/network 10.1.2.3
  not found".  These errors these did NOT compromise the firewall rules, btw.
- Added support for multiple hook files (like rc_a) working at one entry
  point.  See uruk-rc(5) and uruk(8).  Thanks Wessel Dankers for the
  suggestion and for a first implementation.


uruk version 20071101

- Added another contribution from Fred Vos to contrib/: fw2dot.xsl: generating
  a dot file (for graphiz) from an XML-ed uruk rc file.
- Various fixes in uruk init script.  Among others: fix behaviour of "reload"
  and "force-reload" in case uruk not running.


uruk version 20071030

- We ACCEPT traffic on lo earlier in the uruk ruleset: that's more efficient.
  Traffic on lo will no longer be delayed by our ruleset.

  Uruk <= 20051129 built it's rule like:

      1  rc is sourced as a shell script
      2  $rc_a is sourced as a shell script
     [...]
      8  $rc_d is sourced
      9  Traffic on lo is trusted
     10  $rc_e is sourced
     11  Don't answer broadcast and multicast packets
    [...]

  Uruk >= FIXME builds it's rule as:

      1  rc is sourced as a shell script
      2  Traffic on lo is trusted
      3  $rc_a is sourced as a shell script
    [...]
      9  $rc_d is sourced
     10  Don't answer broadcast and multicast packets
    [...]

  see uruk(5)

  If you've done tricks with lo in any of the rc_ hook scripts, you risk being
  hit by incompatibilities.  Study the uruk source to find out how to fix your
  hook.  If you're not using any hook scripts, you are save: your uruk
  configuration will still work fine.   If you're using hook scripts, but don't
  do anything specific with lo in your scripts, you are likely save: your
  configuration will likely still work.

  If you were using rc_a to add rules to the absolute beginning of the ruleset,
  you might have to move these to the rc-file: traffic on lo is now accepted
  _before_ rc_a is sourced.

  If you rely on traffic on lo to be logged, and your loglevel was "fascist",
  you should craft some hack: this traffic will no longer be logged by default
  with this loglevel.

  rc_e is now obsolete.  You should move your rc_e stuff to rc_d.  (rc_e for
  now will still work, though.)

- The uruk init script now is (should be) Linux Standards Base v 3.1.0
  compliant.  Added extra supported argument "status".  The script now
  _requires_ the file /lib/lsb/init-functions to be present, and to define the
  shell functions log_success_msg, log_failure_msg and log_warning_msg.  LSB
  compliant systems (recent releases of Debian GNU/Linux, Red Hat Enterprise
  Linux, Ubuntu Linux, a.o.) supply this.
- Introduced new variables interfaces_unprotect and URUK_INTERFACES_UNPROTECT.
- Add XML stuff contributed by Fred Vos, including some preliminary documentation
  (in Dutch).  Could be used to transform an XML-file describing uruk rules to
  an uruk rc file.  Shipped in contrib/, installed in .../doc/uruk/contrib/.
- Uruk is now licensed under GPLv3 (or any later version).
- man/Makefile.am: no longer try to support non-ascii characters in .txt
  manpages.  col, as shipped with the bsdutils 1:2.13-2 Debian package chokes
  on output of groff, as shipped with the 1.18.1.1-12 Debian package.  See also
  Debian bug Bug#441659.
- TODO: added some more received wishlist bugs (thanks Wessel Dankers and Fred
  Vos)
- Minor fixes in uruk(8) manpage.
- uruk-rc(5): documented improved way to unprotect an interface, thanks Wessel
  Dankers.
- TODO, init/uruk.in: found and documented bug: /etc/init.d/uruk force-reload
  breaks when nat or mangle table are used.  Thanks Wessel Dankers for spotting
  this.


uruk version 20051129

- On Red Hat, run start uruk initscript _after_ network interfaces are
  configured.  (We have always been doing this in the Debian package.) This is
  needed in order to support usage where the rc file queries the operating
  system to learn about current IP adresses.  With uruk 20051026 and 20051027,
  such usage was not possible.  See TODO for notes on pending issues related
  to this.
- Build-depend upon zoem >= 05-328.


uruk version 20051027

- Fixed bug in uruk script.  Reported to pop up when /bin/sh is bash
  and $version is not set in /etc/uruk/rc.


uruk version 20051026

- More examples in uruk-rc(5) manpage.  Thanks Roland van Hout for
  suggestion.
- Experimental ip6tables support added to uruk(8) and uruk-save(8).
  See comments in the uruk script.  New option "-6" for uruk-save(8).
- The uruk init script now sources both /etc/default/uruk and
  /etc/sysconfig/uruk (if present, of course).  An example file for
  /etc/{default,sysconfig}/uruk is now shipped and gets installed in
  /usr/[local/]share/doc/uruk/examples/.
- Major overhaul of the uruk init script.  This script now is more integrated
  in the uruk framework.
  + The pre-uruk situation is now saved and restorable.
  + Optionally calls uruk-save (and displays a warning by default).
  + Calls uruk if applicable.
  + Improved options: start, stop, force-reload, reload.  These now
    behave more intuitive.
  + The saved active and inactive rules now no longer get out of sync with
    the uruk rc file.  (O.t.o.h.: one can no longer maintain part of the
    firewall configuration outside the uruk rc file.)
  + New option: create
  See README on what the implications are if you're upgrading.  Thanks to
  Wessel Dankers for his ideas about an improved uruk init script.
- uruk(8) now checks for the Uruk version the rc file was created for.
  This will allow for more sane behaviour in case of future incompatible
  upgrades.
- Buildsystem: ./bootstrap now uses autoreconf(1).


uruk version 20050718

- This is a pre-release.
- Added support for loglevel, see uruk-rc(5).  Some people were annoyed
  by uruk's syslog spamming.  If you're one of these, set loglevel=30 (or
  10) in your rc-file.


uruk version 20050414

- This is a pre-release.
- Uruk now is maintained using GNU Arch on http://arch.gna.org/uruk/ .
  See README.
- ChangeLog entries from 2003 split off in ChangeLog.2003.
- Uruk(8) now honors environment variables URUK_IPTABLES (/sbin/iptables by
  default) and URUK_CONFIG (/etc/uruk/rc by default).
- Now ships new script uruk-save(8); which saves /etc/uruk/rc in
  iptables-{save,restore} format, without invoking iptables.  You could
  use it e.g. when loading a new rc file.  See the updated uruk(8) manpage.
- The uruk init script now honors /etc/default/uruk.  See comments in the
  code.
- The uruk init script acts more sane when passed {stop,start} while no
  saved rules files are present: it tries to generate these in such
  circumstances.  It will warn you it's doing so.


uruk version 20040625

- Fixed bug in multiple IP per network interface mode.  Uruk was
  unusable in such a setup.
- Some tweaking of build system.


uruk version 20040216

- Fixed severe bugs in uruk script: 20040213 was unusable.
- init script now supports chkconfig: Red Hat is now better supported.


uruk version 20040213

- Support for multiple IP adresses on one network interface added.  New
  variables ips_<nic> and bcasts_<nic> introduced.  See uruk-rc(5).  Don't
  worry: your old rc file will still behave as it used to.


uruk version 20040210

- Allow more ICMP types by default.  Tnx Wessel Dankers for suggestion.
- The Uruk init script is now more helpful when often-encountered errors occur.
- Added warning to uruk(8) manpage: uruk does no sanity checking.


uruk version 20031111

- We no longer create our own ``block'' chain: the built-in INPUT and OUTPUT
  chains suffice for our purposes.  This makes uruk's rule setup much more
  simple.  Thanks to Wessel Dankers.
- rc_1, ... , rc_10 are NO LONGER SUPPORTED.  We use rc_a, rc_b, rc_c, ... now.
  In the future, rc_aa, rc_aab, ... might get added.  You'll HAVE TO rewrite
  your rc_<n> style stuff MANUALLY.  See the notes on UPGRADE in the README
  file.  (Your uruk/rc file will still work fine.  No other changes in the
  configuration file syntax are introduced in this release.)
- If you have saved your rules using iptables-save or the uruk init script,
  you'll have to rebuild them.  The old-style rules are not supported by this
  uruk release.


uruk version 20031026

- Fixed bug which made "/etc/init.d/uruk stop" to fail.
- Documented more of uruk's features.


uruk version 20031008

- Init script more robust, especially on fresh installs. (We still suffer
  from at least one bug though, see TODO.)
- Started documenting rc_<n> hooks.
- Various minor and cosmetic cleanups in documentation.


uruk version 20031004

- ad1810-firewall is now called uruk.
- big changes in build system and documentation system:
  - manpages have been converted from Perl's pod format to zoem format.  See
    README for details.
  - now build-depends on zoem: documentation depends on configure-time
    settings.
- ad1810-firewall under some circumstances was not reboot-resistent: I've
  missed a change in the Debian iptables package behaviour.
  The Debian iptables package >= 1.2.7-8 (7 Dec 2002) will not call
  /etc/init.d/iptables on boot by default.  We now ship our own
  init script to deal with this (thanks to Laurence J. Lane).


ad1810-firewall version 20030829

- ad1810-firewall-rc manpage converted from pod to zoem
  ( http://micans.org/zoem ).
- rc_1, rc_2, .... rc_10 feature supported by ad1810-firewall script: set
  e.g. rc_1=/usr/local/etc/ad1810-firewall/rc_1 in your
  ad1810-firewall-rc(5).  This file should contain shell code.  This is
  executed early in the ad1810-firewall routine, allowing finegrained tweaking
  of rules, for systems with special demands.  For now, see the
  ad1810-firewall shell code for more details.  More documentation will follow.


ad1810-firewall version 20030512

- Moving manpage format from pod to zoem.
- Fixed automatic version numbering in build system; no more wacky vyyyymmdd
  versions.  Thanks Raja R Harinath on the autoconf list.
- rc should no longer define e.g. sources_eth0_tcp_www, where www is a port,
  but e.g. sources_eth0_tcp_public, where public is a symbolic name for a
  (set of) services.  Furthermore, the new variable ports_eth0_tcp_public
  should be defined as e.g. "www".


ad1810-firewall version v20030427

- rc File location now depends on sysconfdir, as set during configure.
- Various documentation updates.


ad1810-firewall version v20030426

- First public alpha release.  Untested!