IPFilter 4.1

Finally I've reached a point where I think I'm happy enough with
the "ipf4" code to try my hand at making it a major release.
And yes, there's been no "beta" for a while so I'm taking a big
gamble in some ways :) To see how extensively it has been
tested, please read:

http://coombs.anu.edu.au/~avalon/ipfilter-status.html

I will point out here that I've been unable to upgrade from FreeBSD
5.1 to 5.2 because vmware panics while booting from the ISO image file.

People using Solaris & HP-UX should read this before starting:
http://coombs.anu.edu.au/~avalon/ipf-mentat.html

Download from:
--------------
http://coombs.anu.edu.au/~avalon/ip_fil4.1.tar.gz

Upgrades for BSDs
-----------------
This will occur in time. My plan is for both FreeBSD & NetBSD to
move from 3.4.whatever to 4.1.something.

Future for IPFilter 3.4.x
-------------------------
Will remain patched for stability only. One primary driver here is
that there are currently NICs that this version can filter on Solaris
that 4.1 cannot.

Details on new features
-----------------------
Over the coming weeks, I'll write up on a web page detailing in more
depth how each of the new features work. The man pages are also most
likely in need of extra work...but who likes documentation ? O:-)

Darren


What's new in IPFilter 4.1
==========================
(Well, compared to 3.*, anyway)
In no particular order, except headline alphabetical:

Administration:
- Run-time support for modifying ipf table size parameters.
- Run-time support for tuning other ipfilter parameters.

Content Scanning:
- Simple matching of content for TCP session startup.

Firewall Synchronising:
- Master/slave programs available.

General:
- All input files allow simple 'marco' definitions and expansion,
including nesting.
- Code has been rototilled to make maintenance and enhancements
eaiser for me and you.
- More configuration files and binaries.
- Takes up more memory.
- Probably slower.
- Versioned API to support changes in the ABI without breaking
existing binaries (4.0 onward only.)
- IP-Filter framework in place for handling multiple different
types of packet matching for firewalling.
- IP Id number rewriting available.
- Verification of checksums for recognised packet types.
- Optionally enable/disable IP forwarding when enabled/disabled.

IPF:
- BPF syntax available for matching packets in ipf rules (1).
- Can convert IPv4 ipf rules into C code and either:
* load them as an LKM o;
* compile them statically into the kernel (where possible.)
- Address pools allow for simpler rules covering large numbers of
addresses/networks (IPv4 only).
- Lookup functions available to map an IPv4 address to a group.
- Groups can be referenced by multiple heads for subroutine-like use.
- NAT/ipf rules can refer to each other via a tag, creating an implied
join that forms part of the packet matching.
- Extra packet attributes available for filter rules:
* source address/routing interface mismatch;
* multicast (3);
* broadcast (2,3);
* state lookup partially failed;
* out of the TCP window for a state connection;
* NAT lookup partially failed.
- PPS (packets per second) matching available for ipf rules.
- Rule collections (cf FreeBSD numbering) supported for ipf rules.
- Groups can now be names rather than just numbers

IPV6:
- understands extension headers.
- can filter on extension headers.

Logging:
- ipmon now comes with a configuration file for more advanced logging
behaviour.
- Can append arbitrary logging tags with ipf rules for easy matching.

NAT:
- "sticky" mapping available to ensure an address translation on
a per-address basis is always the same (while known) for a set
IP address.

Operating System Support:
- HP-UX 11 added.
- Tru64 5.1a added.
- Solaris/HP-UX now use pfil STREAMS module.
- Linux 2.4 on the way.

Proxies:
- PPTP proxy added.
- IRC proxy added.
- RPCBIND proxy added.
- FTP proxy support for EPSV (IPv4 only.)

Stateful Inspection:
- Can insist that all TCP data arrives in order.
- Can insist that all fragments pass through in order.
- The number of states created per-rule can be set where the total
across all rules may exceed the maximum allowed.
- Can elect not to automatically match ICMP error packets.
- TCP sequence number rewriting supported.

(1) - Requires libpcap for rule parsing
(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
(3) - Not supported on SunOS4