1What's new in IPFilter 4.1 2========================== 3(Well, compared to 3.*, anyway) 4In no particular order, except headline alphabetical: 5 6Administration: 7 - Run-time support for modifying ipf table size parameters. 8 - Run-time support for tuning other ipfilter parameters. 9 10Content Scanning: 11 - Simple matching of content for TCP session startup. 12 13Firewall Synchronising: 14 - Master/slave programs available. 15 16General: 17 - All input files allow simple 'marco' definitions and expansion, 18 including nesting. 19 - Code has been rototilled to make maintenance and enhancements 20 eaiser for me and you. 21 - More configuration files and binaries. 22 - Takes up more memory. 23 - Probably slower. 24 - Versioned API to support changes in the ABI without breaking 25 existing binaries (4.0 onward only.) 26 - IP-Filter framework in place for handling multiple different 27 types of packet matching for firewalling. 28 - IP Id number rewriting available. 29 - Verification of checksums for recognised packet types. 30 - Optionally enable/disable IP forwarding when enabled/disabled. 31 32IPF: 33 - BPF syntax available for matching packets in ipf rules (1). 34 - Can convert IPv4 ipf rules into C code and either: 35 * load them as an LKM o; 36 * compile them statically into the kernel (where possible.) 37 - Address pools allow for simpler rules covering large numbers of 38 addresses/networks (IPv4 only). 39 - Lookup functions available to map an IPv4 address to a group. 40 - Groups can be referenced by multiple heads for subroutine-like use. 41 - NAT/ipf rules can refer to each other via a tag, creating an implied 42 join that forms part of the packet matching. 43 - Extra packet attributes available for filter rules: 44 * source address/routing interface mismatch; 45 * multicast (3); 46 * broadcast (2,3); 47 * state lookup partially failed; 48 * out of the TCP window for a state connection; 49 * NAT lookup partially failed. 50 - PPS (packets per second) matching available for ipf rules. 51 - Rule collections (cf FreeBSD numbering) supported for ipf rules. 52 - Groups can now be names rather than just numbers 53 54IPV6: 55 - understands extension headers. 56 - can filter on extension headers. 57 58Logging: 59 - ipmon now comes with a configuration file for more advanced logging 60 behaviour. 61 - Can append arbitrary logging tags with ipf rules for easy matching. 62 63NAT: 64 - "sticky" mapping available to ensure an address translation on 65 a per-address basis is always the same (while known) for a set 66 IP address. 67 68Operating System Support: 69 - HP-UX 11 added. 70 - Tru64 5.1a added. 71 - Solaris/HP-UX now use pfil STREAMS module. 72 - Linux 2.4 on the way. 73 74Proxies: 75 - PPTP proxy added. 76 - IRC proxy added. 77 - RPCBIND proxy added. 78 - FTP proxy support for EPSV (IPv4 only.) 79 80Stateful Inspection: 81 - Can insist that all TCP data arrives in order. 82 - Can insist that all fragments pass through in order. 83 - The number of states created per-rule can be set where the total 84 across all rules may exceed the maximum allowed. 85 - Can elect not to automatically match ICMP error packets. 86 - TCP sequence number rewriting supported. 87 88(1) - Requires libpcap for rule parsing 89(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets. 90(3) - Not supported on SunOS4 91